aee18524a93d9c90c55a666b63d39a38d0addcdd828862557a51aa14c5736f62

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e17525af642b2bef2055627f07a642c_JaffaCakes118.exe
Size

421KB
MD5

0e17525af642b2bef2055627f07a642c
SHA1

c8e281a9321f5f64312936ecaa4e073c49062d76
SHA256

aee18524a93d9c90c55a666b63d39a38d0addcdd828862557a51aa14c5736f62
SHA512

f06a843f0d2f9a45fc38f1ea605383f06e60f5c5f2a9a67d97404e992f58037313852d223c240545b7b9ca8a93aab4ba44c006d5a915abbc24c4b0e4d218f033
SSDEEP

12288:JWCnSOH7d2RwAkPPBX0zpXH4KAX7yaDlELqD9:hnSe70RtokZ4t7nKLQ

Score

7^/10

evasion

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2656	msmmnger.exe
316	msmmnger.exe
1800	msmmnger.exe
2888	msmmnger.exe
1868	msmmnger.exe
1652	msmmnger.exe
900	msmmnger.exe
2860	msmmnger.exe
2996	msmmnger.exe
1816	msmmnger.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine	msmmnger.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine	msmmnger.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine	0e17525af642b2bef2055627f07a642c_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine	msmmnger.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine	msmmnger.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine	msmmnger.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine	msmmnger.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine	msmmnger.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine	msmmnger.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine	msmmnger.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine	msmmnger.exe

Loads dropped DLL 20 IoCs

pid	Process
1724	0e17525af642b2bef2055627f07a642c_JaffaCakes118.exe
1724	0e17525af642b2bef2055627f07a642c_JaffaCakes118.exe
2656	msmmnger.exe
2656	msmmnger.exe
316	msmmnger.exe
316	msmmnger.exe
1800	msmmnger.exe
1800	msmmnger.exe
2888	msmmnger.exe
2888	msmmnger.exe
1868	msmmnger.exe
1868	msmmnger.exe
1652	msmmnger.exe
1652	msmmnger.exe
900	msmmnger.exe
900	msmmnger.exe
2860	msmmnger.exe
2860	msmmnger.exe
2996	msmmnger.exe
2996	msmmnger.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msmmnger.exe	0e17525af642b2bef2055627f07a642c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe
File opened for modification	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe
File opened for modification	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe
File created	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe
File opened for modification	C:\Windows\SysWOW64\msmmnger.exe	0e17525af642b2bef2055627f07a642c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe
File created	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe
File created	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe
File created	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe
File opened for modification	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe
File opened for modification	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe
File created	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe
File opened for modification	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe
File created	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe
File opened for modification	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe
File opened for modification	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe
File created	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe
File created	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe
File opened for modification	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe
File created	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe
File opened for modification	C:\Windows\SysWOW64\msmmnger.exe	msmmnger.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2656	1724	0e17525af642b2bef2055627f07a642c_JaffaCakes118.exe	28
PID 1724 wrote to memory of 2656	1724	0e17525af642b2bef2055627f07a642c_JaffaCakes118.exe	28
PID 1724 wrote to memory of 2656	1724	0e17525af642b2bef2055627f07a642c_JaffaCakes118.exe	28
PID 1724 wrote to memory of 2656	1724	0e17525af642b2bef2055627f07a642c_JaffaCakes118.exe	28
PID 2656 wrote to memory of 316	2656	msmmnger.exe	29
PID 2656 wrote to memory of 316	2656	msmmnger.exe	29
PID 2656 wrote to memory of 316	2656	msmmnger.exe	29
PID 2656 wrote to memory of 316	2656	msmmnger.exe	29
PID 316 wrote to memory of 1800	316	msmmnger.exe	30
PID 316 wrote to memory of 1800	316	msmmnger.exe	30
PID 316 wrote to memory of 1800	316	msmmnger.exe	30
PID 316 wrote to memory of 1800	316	msmmnger.exe	30
PID 1800 wrote to memory of 2888	1800	msmmnger.exe	33
PID 1800 wrote to memory of 2888	1800	msmmnger.exe	33
PID 1800 wrote to memory of 2888	1800	msmmnger.exe	33
PID 1800 wrote to memory of 2888	1800	msmmnger.exe	33
PID 2888 wrote to memory of 1868	2888	msmmnger.exe	34
PID 2888 wrote to memory of 1868	2888	msmmnger.exe	34
PID 2888 wrote to memory of 1868	2888	msmmnger.exe	34
PID 2888 wrote to memory of 1868	2888	msmmnger.exe	34
PID 1868 wrote to memory of 1652	1868	msmmnger.exe	35
PID 1868 wrote to memory of 1652	1868	msmmnger.exe	35
PID 1868 wrote to memory of 1652	1868	msmmnger.exe	35
PID 1868 wrote to memory of 1652	1868	msmmnger.exe	35
PID 1652 wrote to memory of 900	1652	msmmnger.exe	36
PID 1652 wrote to memory of 900	1652	msmmnger.exe	36
PID 1652 wrote to memory of 900	1652	msmmnger.exe	36
PID 1652 wrote to memory of 900	1652	msmmnger.exe	36
PID 900 wrote to memory of 2860	900	msmmnger.exe	37
PID 900 wrote to memory of 2860	900	msmmnger.exe	37
PID 900 wrote to memory of 2860	900	msmmnger.exe	37
PID 900 wrote to memory of 2860	900	msmmnger.exe	37
PID 2860 wrote to memory of 2996	2860	msmmnger.exe	38
PID 2860 wrote to memory of 2996	2860	msmmnger.exe	38
PID 2860 wrote to memory of 2996	2860	msmmnger.exe	38
PID 2860 wrote to memory of 2996	2860	msmmnger.exe	38
PID 2996 wrote to memory of 1816	2996	msmmnger.exe	39
PID 2996 wrote to memory of 1816	2996	msmmnger.exe	39
PID 2996 wrote to memory of 1816	2996	msmmnger.exe	39
PID 2996 wrote to memory of 1816	2996	msmmnger.exe	39

C:\Users\Admin\AppData\Local\Temp\0e17525af642b2bef2055627f07a642c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e17525af642b2bef2055627f07a642c_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\msmmnger.exe
  C:\Windows\system32\msmmnger.exe 616 "C:\Users\Admin\AppData\Local\Temp\0e17525af642b2bef2055627f07a642c_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\msmmnger.exe
    C:\Windows\system32\msmmnger.exe 688 "C:\Windows\SysWOW64\msmmnger.exe"
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\SysWOW64\msmmnger.exe
      C:\Windows\system32\msmmnger.exe 692 "C:\Windows\SysWOW64\msmmnger.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\Windows\SysWOW64\msmmnger.exe
        
        C:\Windows\system32\msmmnger.exe 700 "C:\Windows\SysWOW64\msmmnger.exe"
        5⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\SysWOW64\msmmnger.exe
        
        C:\Windows\system32\msmmnger.exe 696 "C:\Windows\SysWOW64\msmmnger.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\msmmnger.exe
        
        C:\Windows\system32\msmmnger.exe 716 "C:\Windows\SysWOW64\msmmnger.exe"
        7⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\msmmnger.exe
        
        C:\Windows\system32\msmmnger.exe 708 "C:\Windows\SysWOW64\msmmnger.exe"
        8⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SysWOW64\msmmnger.exe
        
        C:\Windows\system32\msmmnger.exe 712 "C:\Windows\SysWOW64\msmmnger.exe"
        9⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\msmmnger.exe
        
        C:\Windows\system32\msmmnger.exe 732 "C:\Windows\SysWOW64\msmmnger.exe"
        10⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\msmmnger.exe
        
        C:\Windows\system32\msmmnger.exe 720 "C:\Windows\SysWOW64\msmmnger.exe"
        11⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msmmnger.exe

Filesize
421KB

MD5
0e17525af642b2bef2055627f07a642c

SHA1
c8e281a9321f5f64312936ecaa4e073c49062d76

SHA256
aee18524a93d9c90c55a666b63d39a38d0addcdd828862557a51aa14c5736f62

SHA512
f06a843f0d2f9a45fc38f1ea605383f06e60f5c5f2a9a67d97404e992f58037313852d223c240545b7b9ca8a93aab4ba44c006d5a915abbc24c4b0e4d218f033

Download Submit
memory/316-33-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/316-36-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/316-35-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/316-42-0x00000000046A0000-0x00000000047E7000-memory.dmp

Filesize
1.3MB

Download
memory/316-38-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/316-44-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/316-37-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/900-78-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/900-72-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1652-71-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1652-65-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1652-67-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1724-6-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1724-20-0x00000000046F0000-0x0000000004837000-memory.dmp

Filesize
1.3MB

Download
memory/1724-19-0x00000000046F0000-0x0000000004837000-memory.dmp

Filesize
1.3MB

Download
memory/1724-11-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1724-5-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1724-4-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1724-0-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1724-3-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1724-2-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1724-1-0x0000000000401000-0x0000000000413000-memory.dmp

Filesize
72KB

Download
memory/1800-43-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1800-45-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1800-47-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1800-51-0x0000000004620000-0x0000000004767000-memory.dmp

Filesize
1.3MB

Download
memory/1800-54-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1816-91-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1816-88-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1868-61-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1868-66-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2656-18-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2656-32-0x0000000004610000-0x0000000004757000-memory.dmp

Filesize
1.3MB

Download
memory/2656-30-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2656-26-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2656-25-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2656-24-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2656-22-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2656-31-0x0000000004610000-0x0000000004757000-memory.dmp

Filesize
1.3MB

Download
memory/2860-79-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2860-83-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2860-76-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2888-52-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2888-58-0x0000000004730000-0x0000000004877000-memory.dmp

Filesize
1.3MB

Download
memory/2888-55-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2888-60-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2996-84-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2996-90-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads