fd735f45bb33b4ff724a71528c1833ba3fbc1327081349db0e4a0378213073df

General

Target

fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe
Size

786KB
MD5

fd37932be7cadd7b8295e8540a543802
SHA1

10962017f617ca840f96a386663d99b1e86d996f
SHA256

fd735f45bb33b4ff724a71528c1833ba3fbc1327081349db0e4a0378213073df
SHA512

c1634ae47dc8151ca5ba47f3075daadedc783ca358fadba9b02d9697f155734681a80b73aca871ff4455b48d8f6872431ced8bb56e67ff10b9ae6ea5df0efb3f
SSDEEP

24576:u+YENwEP5EcmsU8PU6IqHHyMWVdV1FBXPKfa:vNwER08P3IISMW7DXPK

Score

8^/10

evasion themida upx

Malware Config

Signatures

Looks for VMWare drivers on disk 2 TTPs 1 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\Windows\SysWOW64\drivers\vmmouse.sys	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c00000001224c-8.dat	acprotect

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe

Loads dropped DLL 8 IoCs

pid	Process
2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe
2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe
2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe
2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe
2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe
2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe
2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe
2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2904-0-0x0000000000400000-0x0000000000592000-memory.dmp	themida
behavioral1/memory/2904-2-0x0000000000400000-0x0000000000592000-memory.dmp	themida
behavioral1/memory/2712-53-0x0000000000400000-0x0000000000592000-memory.dmp	themida
behavioral1/memory/2904-50-0x0000000000400000-0x0000000000592000-memory.dmp	themida

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c00000001224c-8.dat	upx
behavioral1/memory/2624-35-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2904-52-0x0000000004170000-0x0000000004302000-memory.dmp	upx
behavioral1/memory/2624-43-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2624-30-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2904 set thread context of 2624	2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2604	2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe	28
PID 2904 wrote to memory of 2604	2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe	28
PID 2904 wrote to memory of 2604	2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe	28
PID 2904 wrote to memory of 2604	2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe	28
PID 2904 wrote to memory of 2712	2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe	29
PID 2904 wrote to memory of 2712	2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe	29
PID 2904 wrote to memory of 2712	2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe	29
PID 2904 wrote to memory of 2712	2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe	29
PID 2904 wrote to memory of 2624	2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe	30
PID 2904 wrote to memory of 2624	2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe	30
PID 2904 wrote to memory of 2624	2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe	30
PID 2904 wrote to memory of 2624	2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe	30
PID 2904 wrote to memory of 2624	2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe	30
PID 2904 wrote to memory of 2624	2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe	30
PID 2904 wrote to memory of 2624	2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe	30
PID 2904 wrote to memory of 2624	2904	fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe"
1⤵
- Looks for VMWare drivers on disk
- Identifies Wine through registry keys
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe"
  2⤵
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe"
  2⤵
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe
  ?
  2⤵
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

File and Directory Discovery

1

T1083

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\~DCTMP26641.tmp

Filesize
4KB

MD5
d02bc5e49dcbdeb20edda49f984c4ece

SHA1
533469beb0c49e364e277a29eb80a8207ddd164c

SHA256
0daa40b9b6da489521e3d919e024984c826c4c49caf3a21cc77178651b0dfbf9

SHA512
55233a019c291bb991aaf7e90826518f8d60bc423d85b4f18bc4b7f583f8832e4c1a5a5530843532860a7c2cd7d96bfcf3091e126d0996ade35ab93c39d6125a

Download Submit
memory/2624-35-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2624-30-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2624-39-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2624-43-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2624-27-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2712-53-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2904-40-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/2904-52-0x0000000004170000-0x0000000004302000-memory.dmp

Filesize
1.6MB

Download
memory/2904-31-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/2904-29-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/2904-36-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/2904-0-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2904-42-0x0000000004150000-0x0000000004151000-memory.dmp

Filesize
4KB

Download
memory/2904-44-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/2904-26-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/2904-32-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/2904-50-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2904-49-0x00000000040B0000-0x00000000040B1000-memory.dmp

Filesize
4KB

Download
memory/2904-3-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/2904-6-0x00000000040E0000-0x00000000040E2000-memory.dmp

Filesize
8KB

Download
memory/2904-38-0x0000000004130000-0x0000000004131000-memory.dmp

Filesize
4KB

Download
memory/2904-34-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/2904-2-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads