e6c90b7f3ffdfada2ff3cbb7160b8cf2f95a0480cf58122aa4fa68307a924376

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 00:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0b8e3a03835538522a3169b05a28b8c4_JaffaCakes118.exe
Size

1.1MB
MD5

0b8e3a03835538522a3169b05a28b8c4
SHA1

77b4b07f7f41c9f781d8e5a8feea6dd2324eb40c
SHA256

e6c90b7f3ffdfada2ff3cbb7160b8cf2f95a0480cf58122aa4fa68307a924376
SHA512

d7dd40d7471ca122e29145daf04c684c335f534c5611d1c67e8e0c978c62412ce90693731cbade462035dc9af52f22106e8f6af16cbc8d74b1273a397f4f65b3
SSDEEP

24576:tIHy+ZbxhZ2hMP235o5W9IDqcAQLhiHvJyd86Zu8JpAuiY2r:kZNiL9ZwYPJyd8Yu8JpArY2r

Score

7^/10

evasion themida upx

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine	0b8e3a03835538522a3169b05a28b8c4_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
2164	0b8e3a03835538522a3169b05a28b8c4_JaffaCakes118.exe
2164	0b8e3a03835538522a3169b05a28b8c4_JaffaCakes118.exe

Themida packer 20 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2164-0-0x0000000000400000-0x0000000000587000-memory.dmp	themida
behavioral1/memory/2164-9-0x0000000000400000-0x0000000000587000-memory.dmp	themida
behavioral1/memory/2164-15-0x0000000000400000-0x0000000000587000-memory.dmp	themida
behavioral1/memory/2164-16-0x0000000000400000-0x0000000000587000-memory.dmp	themida
behavioral1/memory/2164-20-0x0000000000400000-0x0000000000587000-memory.dmp	themida
behavioral1/memory/2164-17-0x0000000000400000-0x0000000000587000-memory.dmp	themida
behavioral1/memory/2164-23-0x0000000000400000-0x0000000000587000-memory.dmp	themida
behavioral1/memory/2164-26-0x0000000000400000-0x0000000000587000-memory.dmp	themida
behavioral1/memory/2164-28-0x0000000000400000-0x0000000000587000-memory.dmp	themida
behavioral1/memory/2164-31-0x0000000000400000-0x0000000000587000-memory.dmp	themida
behavioral1/memory/2164-34-0x0000000000400000-0x0000000000587000-memory.dmp	themida
behavioral1/memory/2164-37-0x0000000000400000-0x0000000000587000-memory.dmp	themida
behavioral1/memory/2164-40-0x0000000000400000-0x0000000000587000-memory.dmp	themida
behavioral1/memory/2164-43-0x0000000000400000-0x0000000000587000-memory.dmp	themida
behavioral1/memory/2164-46-0x0000000000400000-0x0000000000587000-memory.dmp	themida
behavioral1/memory/2164-49-0x0000000000400000-0x0000000000587000-memory.dmp	themida
behavioral1/memory/2164-52-0x0000000000400000-0x0000000000587000-memory.dmp	themida
behavioral1/memory/2164-55-0x0000000000400000-0x0000000000587000-memory.dmp	themida
behavioral1/memory/2164-58-0x0000000000400000-0x0000000000587000-memory.dmp	themida
behavioral1/memory/2164-61-0x0000000000400000-0x0000000000587000-memory.dmp	themida

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000122cd-4.dat	upx
behavioral1/memory/2164-6-0x0000000010000000-0x0000000010137000-memory.dmp	upx
behavioral1/memory/2164-8-0x0000000010000000-0x0000000010137000-memory.dmp	upx
behavioral1/memory/2164-7-0x0000000010000000-0x0000000010137000-memory.dmp	upx
behavioral1/memory/2164-13-0x0000000003EA0000-0x0000000003ECE000-memory.dmp	upx
behavioral1/memory/2164-14-0x0000000003EA0000-0x0000000003ECE000-memory.dmp	upx
behavioral1/files/0x000a000000013a45-11.dat	upx
behavioral1/memory/2164-19-0x0000000003EA0000-0x0000000003ECE000-memory.dmp	upx
behavioral1/memory/2164-18-0x0000000010000000-0x0000000010137000-memory.dmp	upx
behavioral1/memory/2164-22-0x0000000010000000-0x0000000010137000-memory.dmp	upx
behavioral1/memory/2164-24-0x0000000010000000-0x0000000010137000-memory.dmp	upx
behavioral1/memory/2164-29-0x0000000010000000-0x0000000010137000-memory.dmp	upx
behavioral1/memory/2164-32-0x0000000010000000-0x0000000010137000-memory.dmp	upx
behavioral1/memory/2164-35-0x0000000010000000-0x0000000010137000-memory.dmp	upx
behavioral1/memory/2164-38-0x0000000010000000-0x0000000010137000-memory.dmp	upx
behavioral1/memory/2164-41-0x0000000010000000-0x0000000010137000-memory.dmp	upx
behavioral1/memory/2164-44-0x0000000010000000-0x0000000010137000-memory.dmp	upx
behavioral1/memory/2164-47-0x0000000010000000-0x0000000010137000-memory.dmp	upx
behavioral1/memory/2164-50-0x0000000010000000-0x0000000010137000-memory.dmp	upx
behavioral1/memory/2164-53-0x0000000010000000-0x0000000010137000-memory.dmp	upx
behavioral1/memory/2164-56-0x0000000010000000-0x0000000010137000-memory.dmp	upx
behavioral1/memory/2164-59-0x0000000010000000-0x0000000010137000-memory.dmp	upx
behavioral1/memory/2164-62-0x0000000010000000-0x0000000010137000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2164	0b8e3a03835538522a3169b05a28b8c4_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2164	0b8e3a03835538522a3169b05a28b8c4_JaffaCakes118.exe
2164	0b8e3a03835538522a3169b05a28b8c4_JaffaCakes118.exe
2164	0b8e3a03835538522a3169b05a28b8c4_JaffaCakes118.exe
2164	0b8e3a03835538522a3169b05a28b8c4_JaffaCakes118.exe
2164	0b8e3a03835538522a3169b05a28b8c4_JaffaCakes118.exe
2164	0b8e3a03835538522a3169b05a28b8c4_JaffaCakes118.exe
2164	0b8e3a03835538522a3169b05a28b8c4_JaffaCakes118.exe
2164	0b8e3a03835538522a3169b05a28b8c4_JaffaCakes118.exe
2164	0b8e3a03835538522a3169b05a28b8c4_JaffaCakes118.exe
2164	0b8e3a03835538522a3169b05a28b8c4_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0b8e3a03835538522a3169b05a28b8c4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b8e3a03835538522a3169b05a28b8c4_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\MBX@874@41A1A98.###

Filesize
2KB

MD5
f91a136d20dfa1ecddc2e0525bc96316

SHA1
2c01991d575298c3f42376b797ec5d13d730f89b

SHA256
4efaa2ab06a6088d7c422a7518f223b5122355a1e403d668e7ffcfc5b8d11301

SHA512
3ad6d23c1c10d718aaf8f555001a094b53e71fc74135717c7d6155180a9d2d0b8e8922061d2cfb4a5e38844388e81fc688dce7420200b22d6c6e6ce9489f3af8

Download Submit
\Users\Admin\AppData\Local\Temp\MBX@874@41A1AA8.###

Filesize
2KB

MD5
4e9ca2fa1ee6a996436d81f06dd376c8

SHA1
d70ec28a49565e031d5f7a6156e2faaf2eb1ef4b

SHA256
ef5a6cb2bb3316c985a8e22824f2671c75a730ce0152a435ed2330872f268073

SHA512
bda49122375b963b1db0e3adf9958734bca7969ed70cf11ffb036e441dab384d9ebf397b3ba146ae42170c285a7484e29766d5807fe500e59cf48ca95535c761

Download Submit
memory/2164-28-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-2-0x0000000000401000-0x0000000000415000-memory.dmp

Filesize
80KB

Download
memory/2164-6-0x0000000010000000-0x0000000010137000-memory.dmp

Filesize
1.2MB

Download
memory/2164-8-0x0000000010000000-0x0000000010137000-memory.dmp

Filesize
1.2MB

Download
memory/2164-9-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-7-0x0000000010000000-0x0000000010137000-memory.dmp

Filesize
1.2MB

Download
memory/2164-13-0x0000000003EA0000-0x0000000003ECE000-memory.dmp

Filesize
184KB

Download
memory/2164-14-0x0000000003EA0000-0x0000000003ECE000-memory.dmp

Filesize
184KB

Download
memory/2164-15-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-1-0x0000000004040000-0x0000000004041000-memory.dmp

Filesize
4KB

Download
memory/2164-16-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-19-0x0000000003EA0000-0x0000000003ECE000-memory.dmp

Filesize
184KB

Download
memory/2164-20-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-18-0x0000000010000000-0x0000000010137000-memory.dmp

Filesize
1.2MB

Download
memory/2164-17-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-21-0x0000000000401000-0x0000000000415000-memory.dmp

Filesize
80KB

Download
memory/2164-22-0x0000000010000000-0x0000000010137000-memory.dmp

Filesize
1.2MB

Download
memory/2164-23-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-24-0x0000000010000000-0x0000000010137000-memory.dmp

Filesize
1.2MB

Download
memory/2164-26-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-31-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-0-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-29-0x0000000010000000-0x0000000010137000-memory.dmp

Filesize
1.2MB

Download
memory/2164-32-0x0000000010000000-0x0000000010137000-memory.dmp

Filesize
1.2MB

Download
memory/2164-34-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-35-0x0000000010000000-0x0000000010137000-memory.dmp

Filesize
1.2MB

Download
memory/2164-37-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-38-0x0000000010000000-0x0000000010137000-memory.dmp

Filesize
1.2MB

Download
memory/2164-40-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-41-0x0000000010000000-0x0000000010137000-memory.dmp

Filesize
1.2MB

Download
memory/2164-43-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-44-0x0000000010000000-0x0000000010137000-memory.dmp

Filesize
1.2MB

Download
memory/2164-46-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-47-0x0000000010000000-0x0000000010137000-memory.dmp

Filesize
1.2MB

Download
memory/2164-50-0x0000000010000000-0x0000000010137000-memory.dmp

Filesize
1.2MB

Download
memory/2164-49-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-53-0x0000000010000000-0x0000000010137000-memory.dmp

Filesize
1.2MB

Download
memory/2164-52-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-55-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-56-0x0000000010000000-0x0000000010137000-memory.dmp

Filesize
1.2MB

Download
memory/2164-58-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-59-0x0000000010000000-0x0000000010137000-memory.dmp

Filesize
1.2MB

Download
memory/2164-61-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2164-62-0x0000000010000000-0x0000000010137000-memory.dmp

Filesize
1.2MB

Download