8ba48377fe96fe2c99717b5b5f1c8df66226b96d87a46f4dbb361e9c1c61e612

Analysis

max time kernel
141s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 13:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe
Size

2.7MB
MD5

0e4119242ecd2b48204c697a11595f98
SHA1

bf0848ff2a8fd223639916b33cb71136377a8986
SHA256

8ba48377fe96fe2c99717b5b5f1c8df66226b96d87a46f4dbb361e9c1c61e612
SHA512

62cea921c0545bbb3ef4a95ee9792c7ab27f01c547c3dee93cb5db9fc832113c26080b560133d73b87c0ffdde96bd7cf520a95456f7ad9fe79acfd62c70b9133
SSDEEP

49152:FnX2elzv9gARZQFM5wo3kxP0p8qf9bbJ/KToQqB3v:TxHAMTkep8qFbEToQqB3v

Score

10^/10

evasion persistence themida trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
3016	XcoderX.exe
1316	XcoderX.exe
544	XcoderX.exe
3132	XcoderX.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Wine	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/4868-0-0x0000000000400000-0x0000000000E96000-memory.dmp	themida
behavioral2/memory/4868-29-0x0000000000400000-0x0000000000E96000-memory.dmp	themida
behavioral2/memory/4868-30-0x0000000000400000-0x0000000000E96000-memory.dmp	themida
behavioral2/memory/4868-81-0x0000000000400000-0x0000000000E96000-memory.dmp	themida
behavioral2/memory/4868-82-0x0000000000400000-0x0000000000E96000-memory.dmp	themida
behavioral2/memory/4868-83-0x0000000000400000-0x0000000000E96000-memory.dmp	themida
behavioral2/memory/4868-84-0x0000000000400000-0x0000000000E96000-memory.dmp	themida
behavioral2/memory/4868-85-0x0000000000400000-0x0000000000E96000-memory.dmp	themida
behavioral2/memory/4868-86-0x0000000000400000-0x0000000000E96000-memory.dmp	themida
behavioral2/memory/4868-87-0x0000000000400000-0x0000000000E96000-memory.dmp	themida
behavioral2/memory/4868-88-0x0000000000400000-0x0000000000E96000-memory.dmp	themida
behavioral2/memory/4868-89-0x0000000000400000-0x0000000000E96000-memory.dmp	themida
behavioral2/memory/4868-90-0x0000000000400000-0x0000000000E96000-memory.dmp	themida
behavioral2/memory/4868-91-0x0000000000400000-0x0000000000E96000-memory.dmp	themida
behavioral2/memory/4868-92-0x0000000000400000-0x0000000000E96000-memory.dmp	themida
behavioral2/memory/4868-93-0x0000000000400000-0x0000000000E96000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG Internet = "C:\\Users\\Admin\\AppData\\Local\\nod32.exe"	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4868	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4868	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe
4868	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe
3016	XcoderX.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4868	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4868	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe
4868	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 3016	4868	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe	100
PID 4868 wrote to memory of 3016	4868	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe	100
PID 4868 wrote to memory of 3016	4868	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe	100
PID 4868 wrote to memory of 1316	4868	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe	101
PID 4868 wrote to memory of 1316	4868	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe	101
PID 4868 wrote to memory of 1316	4868	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe	101
PID 4868 wrote to memory of 544	4868	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe	102
PID 4868 wrote to memory of 544	4868	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe	102
PID 4868 wrote to memory of 544	4868	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe	102
PID 4868 wrote to memory of 3132	4868	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe	103
PID 4868 wrote to memory of 3132	4868	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe	103
PID 4868 wrote to memory of 3132	4868	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe	103

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e4119242ecd2b48204c697a11595f98_JaffaCakes118.exe"
1⤵
- UAC bypass
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4868
- C:\XcoderX.exe
  C:\XcoderX.exe explorer.exe gb
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3016
- C:\XcoderX.exe
  C:\XcoderX.exe explorer.exe scp
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\XcoderX.exe
  C:\XcoderX.exe explorer.exe gb
  2⤵
  - Executes dropped EXE
  PID:544
- C:\XcoderX.exe
  C:\XcoderX.exe explorer.exe scp
  2⤵
  - Executes dropped EXE
  PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3856,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:8
1⤵
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\XcoderX.exe

Filesize
8KB

MD5
5db92acdc55ba2a3b7354c98f3a5e20d

SHA1
05c2ede36b80aafb9c29991c44f2799590387e25

SHA256
d9fabeeb71d323fe8a4aa9bb0c62989ba42bed0deea5a9d3a11fa609e9221d89

SHA512
f1db297674aa61b0ed34183ab15a08dba17bf4e0d915be33017ad096752521e535c6621905d388f04b641ca5585ebefb6e058cccffc5012af97c73c9f24b32c5

Download Submit
memory/544-39-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1316-37-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3016-35-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3132-41-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4868-5-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/4868-9-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/4868-16-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/4868-22-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/4868-21-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/4868-20-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/4868-19-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/4868-18-0x0000000005AE0000-0x0000000005AE2000-memory.dmp

Filesize
8KB

Download
memory/4868-17-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/4868-15-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/4868-14-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/4868-13-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4868-12-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/4868-26-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/4868-10-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/4868-23-0x00000000059B0000-0x00000000059B1000-memory.dmp

Filesize
4KB

Download
memory/4868-8-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/4868-7-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/4868-6-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/4868-0-0x0000000000400000-0x0000000000E96000-memory.dmp

Filesize
10.6MB

Download
memory/4868-4-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/4868-3-0x0000000005800000-0x0000000005802000-memory.dmp

Filesize
8KB

Download
memory/4868-2-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/4868-1-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/4868-11-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/4868-25-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/4868-24-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/4868-27-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/4868-29-0x0000000000400000-0x0000000000E96000-memory.dmp

Filesize
10.6MB

Download
memory/4868-30-0x0000000000400000-0x0000000000E96000-memory.dmp

Filesize
10.6MB

Download
memory/4868-42-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/4868-43-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/4868-81-0x0000000000400000-0x0000000000E96000-memory.dmp

Filesize
10.6MB

Download
memory/4868-82-0x0000000000400000-0x0000000000E96000-memory.dmp

Filesize
10.6MB

Download
memory/4868-83-0x0000000000400000-0x0000000000E96000-memory.dmp

Filesize
10.6MB

Download
memory/4868-84-0x0000000000400000-0x0000000000E96000-memory.dmp

Filesize
10.6MB

Download
memory/4868-85-0x0000000000400000-0x0000000000E96000-memory.dmp

Filesize
10.6MB

Download
memory/4868-86-0x0000000000400000-0x0000000000E96000-memory.dmp

Filesize
10.6MB

Download
memory/4868-87-0x0000000000400000-0x0000000000E96000-memory.dmp

Filesize
10.6MB

Download
memory/4868-88-0x0000000000400000-0x0000000000E96000-memory.dmp

Filesize
10.6MB

Download
memory/4868-89-0x0000000000400000-0x0000000000E96000-memory.dmp

Filesize
10.6MB

Download
memory/4868-90-0x0000000000400000-0x0000000000E96000-memory.dmp

Filesize
10.6MB

Download
memory/4868-91-0x0000000000400000-0x0000000000E96000-memory.dmp

Filesize
10.6MB

Download
memory/4868-92-0x0000000000400000-0x0000000000E96000-memory.dmp

Filesize
10.6MB

Download
memory/4868-93-0x0000000000400000-0x0000000000E96000-memory.dmp

Filesize
10.6MB

Download