8d87897242b12a5327ce2f4d6b5087a9a7c6071722c34e849b95730d6b7c1134

Sharing

Copy URL Twitter E-mail

General

Target

1c681c9ae94281673fa9bdf08dc0f8ee_JaffaCakes118
Size

16.5MB
Sample

240701-zclhrssbkk
MD5

1c681c9ae94281673fa9bdf08dc0f8ee
SHA1

9432b0f0f26d55232ec19b0c4efaed4c03efc240
SHA256

8d87897242b12a5327ce2f4d6b5087a9a7c6071722c34e849b95730d6b7c1134
SHA512

011de9f8ec808ff93c13d809dc2eea5bdad26308580a56b068fa2c9c9e948c1bbf6092fe95e085963a84fe1e5bbd68d9aa4e6c374dbdfb0b6dce7e90695146b8
SSDEEP

393216:yT8WvoJ5bUouU0x9//O/Tssgkj9QGf+bpgckJz+oEC/bE:S6J5bM//O/47LlTkJz+cQ

Score

9^/10

evasion themida

Malware Config

Targets

- Target
  
  l2text/server_help.htm
- Size
  
  1008B
- MD5
  
  8ca4068d7cf9bf1e6cecaf7236b06df6
- SHA1
  
  810f62ae006d5f5f6c187a285322ae42b2c9e027
- SHA256
  
  3364475c70b49af969e0611c88bf02e204582b5bbef8835ebc42783e54749efb
- SHA512
  
  e5ccbe4e45bac2cbf74705ce7c8b449aff158041b1dcbbd3fd38d7f0dae5b1a6791c9c7308a0cae7f57cfbb98e6508753389dcc8ea7d0d7189929f32e70b858b
Score

1^/10
behavioral1 behavioral2
- Target
  
  system/ALAudio.dll
- Size
  
  344KB
- MD5
  
  9bbf6199558ae72f3cb8c54d4a09009f
- SHA1
  
  03eb84dccc2d1fed57d8d647e22ad13b2d9acfe5
- SHA256
  
  7e0c506bd1200c6eb681096a2db22dc134e78c2d64b06a4e69da0dc0e0db3881
- SHA512
  
  745a4cdadbf4602267f53b8e4f6f93317f38279983ea3fe18607960b0f84a60f57fa13a203ac34086d697b4d8365071070f412c7d492073a8f4b7112a9c92744
- SSDEEP
  
  3072:bxBEFpziJOdFWFvrhwMTsdRei8DptLivDJVpQ6BOMEvOBXw2RklAg/:5JOdFqdQsMDOTvf2Ry
Score

7^/10

evasion themida
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
behavioral3 behavioral4
- Target
  
  system/Core.dll
- Size
  
  1.3MB
- MD5
  
  b519540b5f7f5b9153263ecb492e88cc
- SHA1
  
  b3a75a5e15bfc43a5201b978550fa1f146596af3
- SHA256
  
  d83449b1cdf0ac717a98be9289caab03cb507324a696ef449e31369e28416639
- SHA512
  
  39d66e0bd54a1e51b9c8125132ac958fdeddd795cd22e2786e8bd2eaa15fe8713e735a5bd8a705459ac6312c573b0d8bf0cef0ad71cb94036582e228db3db583
- SSDEEP
  
  12288:v6t2hLXA49xfvuIEU1GG+MTc4WPqu24xHnXhPU:eaA0+bwGocDd26U
Score

3^/10
behavioral5 behavioral6
- Target
  
  system/D3DDrv.dll
- Size
  
  1.2MB
- MD5
  
  8ab869364379486f220259fa1c6c7d90
- SHA1
  
  9f05d1fff78e8edf397797a9a6bc7c22c4572e3a
- SHA256
  
  2b496d235cca529b6180588a987ca0059600a2323193d96e87b90014105be0c2
- SHA512
  
  3c9eec9ad1d8517881a03d5cb4368e6a2abc0d13f62ca1d6506457790c7718ade0def55e05937ec7b35ea4fef288b708648512d14d0f00b8d2abc365e865331b
- SSDEEP
  
  12288:INzIsboKAswrxh8wMYp2tVSvVVkw/iUYVOK8B7plnZu0VHMqGX0Ou18z/AntRoaF:seHkw/lD5nE0VsqJmz/Afoafd2hnbY
Score

7^/10

evasion themida
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
behavioral7 behavioral8
- Target
  
  system/Fire.dll
- Size
  
  308KB
- MD5
  
  385a0193e336a2f2f8d549bd3c5310a4
- SHA1
  
  76bcee3e3cde7a8a02549cd32d30ba5ff0050f40
- SHA256
  
  fbdab449469d1b469b87db48c6e321c419d24263a401bfd9d0b02172cdfe6c5b
- SHA512
  
  35aa2dbed80020c22810299d1ce5205400c422d13505f63e2d4a4922fb766697f5b1eddf212049cf0241edff8a7ab2f4c5c5d7754ddb79e081fda1ad62f898fa
- SSDEEP
  
  3072:+AshkEC+niW81TLmvz5u/p3T9R4VLioH7D5kVOqBGPYz:0yKvz5uh3TwDSVOJPYz
Score

7^/10

evasion themida
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
behavioral10 behavioral9
- Target
  
  system/GameGuard.des
- Size
  
  149KB
- MD5
  
  f81a1da22f5ad2acf02916bc17f3d0f7
- SHA1
  
  08e504c17bbaadecbaa604f3915b329cdd37a4fc
- SHA256
  
  1ead3f96bf1be83fc648eb26dc99fd5b3f15c6a112e1178cc495995622e0bf31
- SHA512
  
  b89d5ba1eac653444bb0bfa2f795c480b94159363736872109ed237343256575ddc14323bda36a9c1e909a7000518950800a7765a684c75a883699af42891031
- SSDEEP
  
  3072:+d2tHphj7nXabUZyM1C8H6lTjYzO1GRxtp//xbmM2Sh9uJuJbn09E:+d2pphPnYUZyM1Z6KS8RxfBD289cqF
Score

1^/10
behavioral11 behavioral12
- Target
  
  system/IpDrv.dll
- Size
  
  480KB
- MD5
  
  4dcd3f45a05b962b458b13969c5f906b
- SHA1
  
  decf92878fefb16636a66fe2606153eae03a8538
- SHA256
  
  32d65382123b5c33f21de3b7a85ff5b2777394224eda6aacbcc7a7d3581682ef
- SHA512
  
  0b2ed6663b47d874e09b410b57b31fc7272d739e94144f9e6a69f12c323ea06af685990bee797bcf15ddf33f9716ce16703e07f4a3fe60defc15062760958dca
- SSDEEP
  
  6144:X2iBNXN9cA22sPobXKACsY1UayLQ2SC0z50GCqAumC7:miBpN9cA22sPobXhCOayLozSC7
Score

7^/10

evasion themida
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
behavioral13 behavioral14
- Target
  
  system/NWindow.dll
- Size
  
  3.7MB
- MD5
  
  4ad629893c278777987da63a2792c6ad
- SHA1
  
  ba5ebcaabf71c3b0843a787a61d5febf6e0d3ced
- SHA256
  
  cb85f7a5de375f1e9156ec6559aae2a0a809b3abac4150142aafb14bbf02b47b
- SHA512
  
  3c5d9bde850d998b8e4b4403bf609ccf3468852479f4d530fec353a25b50030b5d479137d770550c340b04d7ad32b80845a1c246d69f4c6f96e4ef24dcba4b27
- SSDEEP
  
  49152:njHty+e1uSietqwFf90z+pGsALNJIJdeoWqCRqNmcWlO+Xnm:j/eAgtf90psVIoWXq2lfXm
Score

7^/10

evasion themida
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
behavioral15 behavioral16
- Target
  
  system/WinDrv.dll
- Size
  
  616KB
- MD5
  
  a01ca9cbe89ce9ab665ba4d64cf15865
- SHA1
  
  9f65a3dbbb563f10271bcc5e313fb84309feaee3
- SHA256
  
  41e8872c53c7f36cf6abba398b0439845f923853059be145f5cfee8d781c7f58
- SHA512
  
  b655eadd1a0c726b737cb42ca96211dc7322ae653b2bbb32da60e8c0c580ab01f0a2573844ed9c2e8a0ac545433f32507a085255f7f28796b2a3a58221ac122f
- SSDEEP
  
  6144:63Hn0D/H/ZCmILfeeqnjahQYRxUkUcIE6hqw:63n0D+e7FMw
Score

7^/10

evasion themida
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
behavioral17 behavioral18
- Target
  
  system/Window.dll
- Size
  
  732KB
- MD5
  
  769b7a97b3ef8693dcedef0916005767
- SHA1
  
  056a25577b69f1c16ba5c8601c260bd42bc5a350
- SHA256
  
  142867e4df7fb0778533382ef115f722faf20649939dd2afebee548952af0dfe
- SHA512
  
  84b14d08c08c47c34121e20490b2cf95486c48323565801f506fd1285df08b100ab7510513805943215c6726b20ab69d8df1ff3d50d489b6213c5e24762b54db
- SSDEEP
  
  12288:dZWd3Br71oL9YzLdAbvkmR+ADLpJq4kina1gsu/pNdS3Pj23i5sITak+8cOGl+BT:3WdR/1oL9YzLdAbvkmR+ADLpJq4kinaD
Score

7^/10

evasion themida
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
behavioral19 behavioral20
- Target
  
  system/defopenal32.dll
- Size
  
  100KB
- MD5
  
  ecab7cb66244bfb9fd926adbdeeb0412
- SHA1
  
  9cd97557af12f2b0ccac1e19af73e7b1a4b9c278
- SHA256
  
  96ec36c0631c73072423ad6eb35f07588b37ceb770cc145073a844a7086c20ca
- SHA512
  
  0d368b4b575fed997f27f59ec7df3c7e67c359305a37e965e79c1d3271d2abfc116af6cf2df1e2a47f0362e92e684f527432a76dba313db0014fa6aed25f6d2b
- SSDEEP
  
  1536:wTDBxWtq+3vbB3IdSJmKscrdz/SaJ3congq2Z3:wTFYD/bB3IGLLJ3congq2Z
Score

3^/10
behavioral21 behavioral22
- Target
  
  system/dsetup.dll
- Size
  
  548KB
- MD5
  
  74056fcc7f6c0730407e1d3d65d0679f
- SHA1
  
  842623590186cc7b8c6c1ce1bec0e68043694982
- SHA256
  
  0fabb928dba7be1c515ba340ea7808f9d0fdded2cce78946ece58573b15aa439
- SHA512
  
  4a5715251b8ad492337b0c0f7553d1ee28d64f4668fa9c478003151e32e7591c92d9c839389f495688925a9156ba0c679a959331fd8c57c72ae1bfdbc595b8a5
- SSDEEP
  
  12288:LOZdbzWutLOdYeajKgh8fKwsY9mJtmNWoqJSRJovEIQ:SZ7tSmL2gmSpYns4iQ
Score

9^/10

evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral23 behavioral24
- Target
  
  system/encvag.dll
- Size
  
  147KB
- MD5
  
  dc48574dc8c7b4df5708a53af50afe8a
- SHA1
  
  fe1a8f55d9f4858de2a663c956c0050869d4c5d6
- SHA256
  
  c888278386ad6f171af5db05ab9d892e103fedf5fefa2c859634bae3206620e8
- SHA512
  
  8b8b9173ae17ad5f7eccc5c9b182327dcd0890eeddf3947b95c6747fb9c19ba8d416436b074f52ce059240b8babb00621fa5f69ca81d9c58dcfad4701372cec9
- SSDEEP
  
  3072:IWKgct047rv7SEDBdphwrDON//TpBnVjeJgTRuCp:IWKgOLvDSEDBV1p0WFp
Score

1^/10
behavioral25 behavioral26
- Target
  
  system/engine.dll
- Size
  
  29.0MB
- MD5
  
  15b4c32becfd1d4dc675d5f4a99fec3e
- SHA1
  
  d6afdadbf07cab92fb8c039f5132c57fb4785ec0
- SHA256
  
  8ec6a9138db2c91884c7f9e7936d3f3ee61c08024cc22d45b477a86997151d78
- SHA512
  
  224aa25640fb2fced8f6eaa5eb8c546f0d560b5da55a963951a6c0d43fb3a0fb2d84503e160a17bb1492240b814a4d37d3f702f666061ad6aa6cb436a782400d
- SSDEEP
  
  98304:/stI4BejbOHL7nhVacdxI2dLcGX+xXalP8f4Ev31yDgr0u9LSqUoJ:yej6ZMSXdMsPv61y60upSy
Score

7^/10

evasion themida
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
behavioral27 behavioral28
- Target
  
  system/ifc23.dll
- Size
  
  228KB
- MD5
  
  3a1970d3e997b018fbc776560740b95e
- SHA1
  
  7aef4ff0fbfa4ab39331a4e63939b43b265a6a76
- SHA256
  
  2a4751b579ab8b68585d61dcef08fa6e9f5b853ce429b026e18a83ae1960fb1c
- SHA512
  
  7a1fe0acf586b63a514608fa12096c11cdc058f4d36ae9681cee3a42fddae9c9cdd6245472ae3e848761081406a732c0f995a3db477637c2ef1953898abc98e2
- SSDEEP
  
  3072:wl6XLRFlPbMb8dBI2pzhQMqJ+GepSkJGQQJHo0wPI+E5aWl:XfY8dHJhQMqw/D8WkUk
Score

3^/10
behavioral29 behavioral30
- Target
  
  system/l2.exe
- Size
  
  480KB
- MD5
  
  23566916e2f5f164ff752e23d8c61491
- SHA1
  
  5955e26b53e999561a9507444a2997dbdefcb258
- SHA256
  
  790d9068796714389d82a400d14d26dcb9e6ecdfc6c2b5eba92ebd1a441b10ee
- SHA512
  
  90b1a91dff7675ddd840e62036af31fe61fb3ac7cddb9e079db6c4293258985052e086883d380a685fb78915d40fc308b896589d7f5e305289f86673a0739c9d
- SSDEEP
  
  6144:7WIUWVAaGtriPUm4Z6edMv5zTuu1nXsaz2:7W5WqwPU93M5TuiXsf
Score

9^/10

evasion themida
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Identifies Wine through registry keys

Themida packer

Identifies Wine through registry keys

Themida packer

Identifies Wine through registry keys

Themida packer

Identifies Wine through registry keys

Themida packer

Identifies Wine through registry keys

Themida packer

Identifies Wine through registry keys

Themida packer

Identifies Wine through registry keys

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies Wine through registry keys

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Identifies Wine through registry keys

Themida packer

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32