Overview

overview

8

Static

static

7

07f55e1e2c...18.exe

windows7-x64

8

07f55e1e2c...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    24-06-2024 10:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07f55e1e2cb8a3fc094bbe5026c3df21_JaffaCakes118.exe

  • Size

    8.1MB

  • MD5

    07f55e1e2cb8a3fc094bbe5026c3df21

  • SHA1

    cae9d0f637f08f46486007ba49eeff7568a59893

  • SHA256

    b3789019bc7ecce1616b06a69095decbbce8b2fa57c9d58883158b812d467299

  • SHA512

    f9b87179335a4f9d433d832b4b63dfc22fe669dd543b40c3902be3f6c6598d1a1a3d0896efcfc5a4a688870851f9b0aa53439b13fa1a6e1b97bfbcaeb2dd7235

  • SSDEEP

    196608:aT4nKcwQpqrGptJWSz4xNVSl24BngpGxM4FnoMjd:aTCNwQpCitkJaVGo5Foe

Score
8/10
evasionpersistencethemidaupx

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Themida packer 27 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07f55e1e2cb8a3fc094bbe5026c3df21_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\07f55e1e2cb8a3fc094bbe5026c3df21_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Identifies Wine through registry keys
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k C:\WINDOWS\Help\wuau\wingb.exe /nogui C:\WINDOWS\Help\wuau\wingb.txt
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\WINDOWS\Help\wuau\wingb.exe
        C:\WINDOWS\Help\wuau\wingb.exe /nogui C:\WINDOWS\Help\wuau\wingb.txt
        3⤵
        • Drops file in Drivers directory
        • Sets service image path in registry
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2420

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\Help\wuau\wingb.txt
    Filesize

    1KB

    MD5

    cf991952063458eeca50ef7043366ca3

    SHA1

    24c5f7f27a743f81f82c294245eaebf90c794d63

    SHA256

    9870aa05cf14a87da50c108c72674d912542efcad9b8b076056f97d8a4a33fde

    SHA512

    73e8e942b2951b788c2529cac2eeeffae38813efd038f6c5705d74f3723ba5d79ee9ffd0878f32cc8d9df2549d575315a4fae6c030af4940bcd7f78bf3c07d67

    Download Submit

  • C:\cleanup.bat
    Filesize

    574B

    MD5

    f729045a51896f374fee1ab23eb8fe7f

    SHA1

    62890664667b1f3361eadf1d7c4bf61ae0477370

    SHA256

    40bf96d24a051c9fd666c603e29ce70e1dab97feea0406fd32a167bb44c2c8c6

    SHA512

    40b7fd24237046761700364e4d3be4fff69913862385d1833d43430a90b0b90ca0762b8c971bda16ec8c6c936f344a5898375212b25073ae2f9e7932efac9c36

    Download Submit

  • \Windows\Help\wuau\wingb.exe
    Filesize

    714KB

    MD5

    30f3680e007d924960fd65524de36601

    SHA1

    23f1e67e28052188432d2031335a79cb5ae72a8f

    SHA256

    6485271fe48f7be4cb49735c60fa4cf2ff52f235e2b24bfba22df6ea75fda1d7

    SHA512

    33323b60353430962ef0e07dd166625ae8cb1d2080f75859d35cf0c807d146ccd7272feef37ebbe8ce77f988658ef0dee6602f9b1bcf429cd0c1898862b5091a

    Download Submit

  • memory/2420-25-0x0000000000400000-0x00000000006B4000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2420-24-0x0000000000400000-0x00000000006B4000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2688-31-0x0000000002390000-0x0000000002644000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2688-18-0x0000000002390000-0x0000000002644000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2860-8-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-29-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-9-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-10-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-11-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-7-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-6-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-5-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-4-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-3-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-26-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-2-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-28-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-0-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-30-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-1-0x0000000000891000-0x00000000008EC000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2860-32-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-33-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-34-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-35-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-36-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-37-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-38-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-39-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-40-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-41-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2860-42-0x0000000000890000-0x0000000001255000-memory.dmp

    Filesize

    9.8MB

    Download