e44dd104bcf538073e4bfbe1f0725f46657fa21474a8d6e4726672f532a50d90

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1915523109e860513bcc74c06fde3ded_JaffaCakes118.dll
Size

738KB
MD5

1915523109e860513bcc74c06fde3ded
SHA1

faa84c3bf20406d0af498e12c07461410f06bf49
SHA256

e44dd104bcf538073e4bfbe1f0725f46657fa21474a8d6e4726672f532a50d90
SHA512

c1c33b50f99b76fce6b384088ccb522a3f5340ddef53ee0e40403f831bfe294ab29c13296040987deea2a1168840082020a207765c2aa5a04f7d033159cf5299
SSDEEP

12288:raCvOI3Oua/X/ruUlxFzZYG8dpzVFh15q4ueVLL9qcqeVyhzB+/wJf/PZVx5Xn5a:rDOI3/WX/qaxgjdpzVFh1Y4uepL9qbhA

Score

7^/10

evasion

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2592	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2592	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 2592	836	rundll32.exe	28
PID 836 wrote to memory of 2592	836	rundll32.exe	28
PID 836 wrote to memory of 2592	836	rundll32.exe	28
PID 836 wrote to memory of 2592	836	rundll32.exe	28
PID 836 wrote to memory of 2592	836	rundll32.exe	28
PID 836 wrote to memory of 2592	836	rundll32.exe	28
PID 836 wrote to memory of 2592	836	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1915523109e860513bcc74c06fde3ded_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1915523109e860513bcc74c06fde3ded_JaffaCakes118.dll,#1
  2⤵
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2592-0-0x0000000010000000-0x00000000101C3000-memory.dmp

Filesize
1.8MB

Download
memory/2592-1-0x0000000010000000-0x00000000101C3000-memory.dmp

Filesize
1.8MB

Download
memory/2592-2-0x0000000010000000-0x00000000101C3000-memory.dmp

Filesize
1.8MB

Download
memory/2592-3-0x0000000000A80000-0x0000000000A8E000-memory.dmp

Filesize
56KB

Download