0cd630cd90f23a11b1219d0a0ba525eb6d63b204b4b035edac6bd28647db14e4

Analysis

max time kernel
125s
max time network
152s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03a0258a9278f97b91d579260448d441_JaffaCakes118.exe
Size

1.5MB
MD5

03a0258a9278f97b91d579260448d441
SHA1

d212dcbd2cb15a0fbfee7f5f72a97da18e80f56e
SHA256

0cd630cd90f23a11b1219d0a0ba525eb6d63b204b4b035edac6bd28647db14e4
SHA512

44ca961f6decfd81776b601e104dea886b6eb22803b0d7b913802f1709da4b97c700749ea9a241bd70d6fa63b534894eddb1a897ec2a2e0a68e73507075a9319
SSDEEP

24576:gL1LillQEbHh0FE5egqtijDg7qh689k+ZESOh8AqppyCQ7qnrfI9mbcTQu32kbXN:NlQEb2Mv0ijSZaXZESg8B0CQ+nM9sckS

Score

7^/10

persistence themida

Malware Config

Signatures

Themida packer 41 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2100-3-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2100-4-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2100-6-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-33-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-40-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-41-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-39-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-38-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-42-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-35-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-34-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-32-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-30-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-29-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-28-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-27-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-26-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-24-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-22-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-11-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-31-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-25-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-23-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-21-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-20-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-18-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2100-19-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-17-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-16-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-15-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-13-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-44-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-45-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-43-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-47-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-49-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-50-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-46-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/memory/2984-48-0x0000000000400000-0x0000000000713000-memory.dmp	themida
behavioral1/files/0x0007000000014ed9-76.dat	themida
behavioral1/memory/2984-81-0x0000000000400000-0x0000000000713000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\DbaufmQ = "c:\\ProgramData\\AahdpoE\\RjvilkW\\DbaufmQ.exe"	notepad.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2100 set thread context of 2984	2100	03a0258a9278f97b91d579260448d441_JaffaCakes118.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2100	03a0258a9278f97b91d579260448d441_JaffaCakes118.exe
2984	notepad.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2984	2100	03a0258a9278f97b91d579260448d441_JaffaCakes118.exe	28
PID 2100 wrote to memory of 2984	2100	03a0258a9278f97b91d579260448d441_JaffaCakes118.exe	28
PID 2100 wrote to memory of 2984	2100	03a0258a9278f97b91d579260448d441_JaffaCakes118.exe	28
PID 2100 wrote to memory of 2984	2100	03a0258a9278f97b91d579260448d441_JaffaCakes118.exe	28
PID 2100 wrote to memory of 2984	2100	03a0258a9278f97b91d579260448d441_JaffaCakes118.exe	28
PID 2100 wrote to memory of 2984	2100	03a0258a9278f97b91d579260448d441_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\03a0258a9278f97b91d579260448d441_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03a0258a9278f97b91d579260448d441_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\system32\notepad.exe
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\ProgramData\AahdpoE\RjvilkW\DbaufmQ.exe

Filesize
1.5MB

MD5
03a0258a9278f97b91d579260448d441

SHA1
d212dcbd2cb15a0fbfee7f5f72a97da18e80f56e

SHA256
0cd630cd90f23a11b1219d0a0ba525eb6d63b204b4b035edac6bd28647db14e4

SHA512
44ca961f6decfd81776b601e104dea886b6eb22803b0d7b913802f1709da4b97c700749ea9a241bd70d6fa63b534894eddb1a897ec2a2e0a68e73507075a9319

Download Submit
memory/2100-1-0x0000000000260000-0x0000000000346000-memory.dmp

Filesize
920KB

Download
memory/2100-0-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2100-2-0x0000000000401000-0x0000000000450000-memory.dmp

Filesize
316KB

Download
memory/2100-3-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2100-4-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2100-6-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2100-37-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/2100-19-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2100-80-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/2984-7-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-33-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-36-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2984-40-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-41-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-39-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-38-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-42-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-35-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-34-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-32-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-30-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-29-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-28-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-27-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-26-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-24-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-22-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-11-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-31-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-25-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-23-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-21-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-20-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-18-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-17-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-16-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-15-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-13-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2984-44-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-45-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-43-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-47-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-49-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-75-0x0000000002FF0000-0x0000000002FF2000-memory.dmp

Filesize
8KB

Download
memory/2984-74-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/2984-73-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/2984-72-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/2984-71-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2984-70-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/2984-69-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/2984-68-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/2984-67-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2984-66-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/2984-65-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/2984-64-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2984-63-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2984-62-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2984-61-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/2984-60-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2984-59-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2984-58-0x0000000002FD0000-0x0000000002FD2000-memory.dmp

Filesize
8KB

Download
memory/2984-57-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/2984-56-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/2984-55-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/2984-54-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/2984-53-0x00000000021E0000-0x00000000021E2000-memory.dmp

Filesize
8KB

Download
memory/2984-52-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/2984-51-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2984-50-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-46-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-48-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-78-0x0000000002BE0000-0x0000000002BE2000-memory.dmp

Filesize
8KB

Download
memory/2984-77-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/2984-81-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2984-79-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download