Malware Analysis Report

2025-01-03 08:20

Sample ID 240706-gvgcnazhrf
Target 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118
SHA256 05263375ffe64e8586c78e8e435007bff1f2a42684d48378eee68c07ba54a80e
Tags
metasploit backdoor evasion themida trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05263375ffe64e8586c78e8e435007bff1f2a42684d48378eee68c07ba54a80e

Threat Level: Known bad

The file 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor evasion themida trojan upx

Modifies security service

MetaSploit

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Themida packer

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Runs .reg file with regedit

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 06:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 06:07

Reported

2024-07-06 06:09

Platform

win7-20240704-en

Max time kernel

143s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\Jerm's.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine C:\Windows\SysWOW64\windows_update.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine C:\Windows\SysWOW64\windows_update.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine C:\Windows\SysWOW64\windows_update.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine C:\Windows\SysWOW64\windows_update.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine C:\Windows\SysWOW64\windows_update.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine C:\Windows\SysWOW64\windows_update.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine C:\Windows\SysWOW64\windows_update.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine C:\Windows\SysWOW64\windows_update.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine C:\Windows\SysWOW64\windows_update.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine C:\Windows\SysWOW64\windows_update.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Jerm's.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A
N/A N/A C:\Windows\SysWOW64\windows_update.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A
File created C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A
File opened for modification C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A
File created C:\Windows\SysWOW64\windows_update.exe C:\Users\Admin\AppData\Local\Temp\Jerm's.exe N/A
File opened for modification C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A
File created C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A
File opened for modification C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A
File created C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A
File created C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A
File created C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A
File created C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A
File opened for modification C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A
File opened for modification C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A
File opened for modification C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A
File opened for modification C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A
File created C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A
File created C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A
File opened for modification C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A
File created C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A
File opened for modification C:\Windows\SysWOW64\windows_update.exe C:\Users\Admin\AppData\Local\Temp\Jerm's.exe N/A
File opened for modification C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A
File created C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Easy Rapidshare Points Setup Log.txt C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2624 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2624 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2624 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2624 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2624 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2624 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2624 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2624 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Jerm's.exe
PID 2624 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Jerm's.exe
PID 2624 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Jerm's.exe
PID 2624 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Jerm's.exe
PID 2632 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
PID 2632 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
PID 2632 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
PID 2632 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
PID 2632 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
PID 2632 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
PID 2632 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
PID 2360 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Jerm's.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Jerm's.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Jerm's.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Jerm's.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2572 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2572 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2572 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2360 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\Jerm's.exe C:\Windows\SysWOW64\windows_update.exe
PID 2360 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\Jerm's.exe C:\Windows\SysWOW64\windows_update.exe
PID 2360 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\Jerm's.exe C:\Windows\SysWOW64\windows_update.exe
PID 2360 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\Jerm's.exe C:\Windows\SysWOW64\windows_update.exe
PID 2360 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\Jerm's.exe C:\Windows\SysWOW64\windows_update.exe
PID 2360 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\Jerm's.exe C:\Windows\SysWOW64\windows_update.exe
PID 2360 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\Jerm's.exe C:\Windows\SysWOW64\windows_update.exe
PID 1752 wrote to memory of 1860 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe
PID 1752 wrote to memory of 1860 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe
PID 1752 wrote to memory of 1860 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe
PID 1752 wrote to memory of 1860 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe
PID 1752 wrote to memory of 1860 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe
PID 1752 wrote to memory of 1860 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe
PID 1752 wrote to memory of 1860 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe
PID 1860 wrote to memory of 2480 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 2480 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 2480 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 2480 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 2480 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 2480 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 2480 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2480 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2480 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2480 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2480 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2480 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2480 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1860 wrote to memory of 2420 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe
PID 1860 wrote to memory of 2420 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe
PID 1860 wrote to memory of 2420 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe
PID 1860 wrote to memory of 2420 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe
PID 1860 wrote to memory of 2420 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe
PID 1860 wrote to memory of 2420 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe
PID 1860 wrote to memory of 2420 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\windows_update.exe
PID 2420 wrote to memory of 304 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 304 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 304 N/A C:\Windows\SysWOW64\windows_update.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\install.exe

"C:\Users\Admin\AppData\Local\Temp\install.exe"

C:\Users\Admin\AppData\Local\Temp\Jerm's.exe

"C:\Users\Admin\AppData\Local\Temp\Jerm's.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

__IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\install.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windows_update.exe

C:\Windows\system32\windows_update.exe 648 "C:\Users\Admin\AppData\Local\Temp\Jerm's.exe"

C:\Windows\SysWOW64\windows_update.exe

C:\Windows\system32\windows_update.exe 776 "C:\Windows\SysWOW64\windows_update.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windows_update.exe

C:\Windows\system32\windows_update.exe 788 "C:\Windows\SysWOW64\windows_update.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windows_update.exe

C:\Windows\system32\windows_update.exe 792 "C:\Windows\SysWOW64\windows_update.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windows_update.exe

C:\Windows\system32\windows_update.exe 796 "C:\Windows\SysWOW64\windows_update.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windows_update.exe

C:\Windows\system32\windows_update.exe 800 "C:\Windows\SysWOW64\windows_update.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windows_update.exe

C:\Windows\system32\windows_update.exe 804 "C:\Windows\SysWOW64\windows_update.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windows_update.exe

C:\Windows\system32\windows_update.exe 808 "C:\Windows\SysWOW64\windows_update.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windows_update.exe

C:\Windows\system32\windows_update.exe 812 "C:\Windows\SysWOW64\windows_update.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windows_update.exe

C:\Windows\system32\windows_update.exe 816 "C:\Windows\SysWOW64\windows_update.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

N/A

Files

memory/2624-1-0x0000000000400000-0x0000000000412000-memory.dmp

\Users\Admin\AppData\Local\Temp\install.exe

MD5 21668854182822616124c714c5cb9c50
SHA1 0316c84cc63015398d7e8bd970099f80e8a1be3b
SHA256 2a9662c3c2af7916419a306d86b4b7fe82f87e3f770336c926cf40dfd5f088ef
SHA512 7b540a1b18eb9b9561fda051b78976ddcee4885be46deee5eccfbdd460159bca18b99a14164af16110cd736ba16e116d10d25a2871a6aadd31e8ffd69f631c29

memory/2624-17-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Jerm's.exe

MD5 84579454f55893badae4774a5ba1e3e5
SHA1 b06fc13d8d1cbd1ac6d8ffe06fbe08383424490c
SHA256 28053322a4bf87685897135790d15d4f1dffb26055e70a949f8a66ae3e72dcf1
SHA512 82fdadf376459fa6e9fabe322e76ea356ecdad00cf05a037ff703038285715ea0cf8439f30117c3d61fa7f6a04238b4e0c4f7497357b8c450b46d05899c88c16

memory/2360-21-0x0000000002000000-0x00000000020F2000-memory.dmp

memory/2360-20-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2360-19-0x0000000000400000-0x00000000007BD000-memory.dmp

\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

MD5 75ca7ff96bf5a316c3af2de6a412bd54
SHA1 0a093950790ff0dddff6f5f29c6b02c10997e0c5
SHA256 d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1
SHA512 b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

memory/2360-32-0x0000000000401000-0x0000000000421000-memory.dmp

memory/2676-31-0x0000000000400000-0x0000000000527000-memory.dmp

memory/2632-30-0x0000000002650000-0x0000000002777000-memory.dmp

C:\a.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

memory/2360-49-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/2360-45-0x0000000000400000-0x00000000007BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

memory/2360-164-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/1752-179-0x0000000000E60000-0x000000000121D000-memory.dmp

memory/1752-178-0x0000000000E60000-0x000000000121D000-memory.dmp

memory/1752-177-0x0000000000E60000-0x000000000121D000-memory.dmp

memory/1752-176-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/2360-175-0x0000000004BD0000-0x0000000004F8D000-memory.dmp

memory/2676-166-0x0000000000240000-0x0000000000367000-memory.dmp

memory/2676-165-0x0000000000240000-0x0000000000367000-memory.dmp

memory/2360-161-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/2676-182-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1752-183-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/2632-184-0x0000000002650000-0x0000000002777000-memory.dmp

memory/1752-190-0x00000000050F0000-0x00000000054AD000-memory.dmp

memory/1860-194-0x0000000000C80000-0x000000000103D000-memory.dmp

memory/1860-193-0x0000000000C80000-0x000000000103D000-memory.dmp

memory/1860-192-0x0000000000C80000-0x000000000103D000-memory.dmp

memory/1860-191-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/1752-196-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/1860-313-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/1860-320-0x0000000005250000-0x000000000560D000-memory.dmp

memory/2420-322-0x0000000000EB0000-0x000000000126D000-memory.dmp

memory/2420-321-0x0000000000EB0000-0x000000000126D000-memory.dmp

memory/2420-323-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/1860-324-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/2420-441-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/2160-451-0x0000000000D30000-0x00000000010ED000-memory.dmp

memory/2160-450-0x0000000000D30000-0x00000000010ED000-memory.dmp

memory/2160-449-0x0000000000D30000-0x00000000010ED000-memory.dmp

memory/2160-448-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/2420-447-0x0000000005100000-0x00000000054BD000-memory.dmp

memory/2420-453-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/2160-571-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/2160-573-0x00000000051A0000-0x000000000555D000-memory.dmp

memory/1788-578-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/2160-579-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/1788-696-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/1788-703-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/2876-821-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/2876-938-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/1928-940-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/1928-1055-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/1936-1057-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/1936-1171-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/836-1173-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/836-1288-0x0000000000400000-0x00000000007BD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 06:07

Reported

2024-07-06 06:09

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\Jerm's.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Easy Rapidshare Points Setup Log.txt C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2908 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2908 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 3312 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
PID 3312 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
PID 3312 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
PID 2908 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Jerm's.exe
PID 2908 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Jerm's.exe
PID 2908 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Jerm's.exe

Processes

C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\install.exe

"C:\Users\Admin\AppData\Local\Temp\install.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

__IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\install.exe"

C:\Users\Admin\AppData\Local\Temp\Jerm's.exe

"C:\Users\Admin\AppData\Local\Temp\Jerm's.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/2908-0-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.exe

MD5 21668854182822616124c714c5cb9c50
SHA1 0316c84cc63015398d7e8bd970099f80e8a1be3b
SHA256 2a9662c3c2af7916419a306d86b4b7fe82f87e3f770336c926cf40dfd5f088ef
SHA512 7b540a1b18eb9b9561fda051b78976ddcee4885be46deee5eccfbdd460159bca18b99a14164af16110cd736ba16e116d10d25a2871a6aadd31e8ffd69f631c29

C:\Users\Admin\AppData\Local\Temp\Jerm's.exe

MD5 84579454f55893badae4774a5ba1e3e5
SHA1 b06fc13d8d1cbd1ac6d8ffe06fbe08383424490c
SHA256 28053322a4bf87685897135790d15d4f1dffb26055e70a949f8a66ae3e72dcf1
SHA512 82fdadf376459fa6e9fabe322e76ea356ecdad00cf05a037ff703038285715ea0cf8439f30117c3d61fa7f6a04238b4e0c4f7497357b8c450b46d05899c88c16

C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

MD5 75ca7ff96bf5a316c3af2de6a412bd54
SHA1 0a093950790ff0dddff6f5f29c6b02c10997e0c5
SHA256 d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1
SHA512 b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

memory/2908-26-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1368-29-0x0000000002560000-0x0000000002652000-memory.dmp

memory/1368-28-0x0000000000C60000-0x0000000000C61000-memory.dmp

memory/1368-27-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/2756-21-0x0000000000400000-0x0000000000527000-memory.dmp

memory/2756-34-0x0000000000400000-0x0000000000527000-memory.dmp