Malware Analysis Report

2025-01-03 08:21

Sample ID 240706-j4wvtasapl
Target 27dc6b3f41d7a3c0455f4147234be0e0_JaffaCakes118
SHA256 c7caa041ca930baf0cb3ef335b78c9e8f974a70ed0467d02d8d0123b75a3da30
Tags
themida metasploit backdoor evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7caa041ca930baf0cb3ef335b78c9e8f974a70ed0467d02d8d0123b75a3da30

Threat Level: Known bad

The file 27dc6b3f41d7a3c0455f4147234be0e0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

themida metasploit backdoor evasion trojan

MetaSploit

Loads dropped DLL

Executes dropped EXE

Identifies Wine through registry keys

Themida packer

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 08:13

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 08:13

Reported

2024-07-06 08:16

Platform

win7-20240705-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27dc6b3f41d7a3c0455f4147234be0e0_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Windows\SysWOW64\iexplarer .exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Windows\SysWOW64\iexplarer .exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Windows\SysWOW64\iexplarer .exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Windows\SysWOW64\iexplarer .exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\27dc6b3f41d7a3c0455f4147234be0e0_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Windows\SysWOW64\iexplarer .exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Windows\SysWOW64\iexplarer .exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Windows\SysWOW64\iexplarer .exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Windows\SysWOW64\iexplarer .exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Windows\SysWOW64\iexplarer .exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Windows\SysWOW64\iexplarer .exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A
File created C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A
File created C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A
File created C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A
File opened for modification C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A
File created C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A
File opened for modification C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A
File opened for modification C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A
File created C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A
File opened for modification C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A
File created C:\Windows\SysWOW64\iexplarer .exe C:\Users\Admin\AppData\Local\Temp\27dc6b3f41d7a3c0455f4147234be0e0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A
File opened for modification C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A
File opened for modification C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A
File created C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A
File created C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A
File opened for modification C:\Windows\SysWOW64\iexplarer .exe C:\Users\Admin\AppData\Local\Temp\27dc6b3f41d7a3c0455f4147234be0e0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A
File opened for modification C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A
File opened for modification C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A
File created C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A
File opened for modification C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\27dc6b3f41d7a3c0455f4147234be0e0_JaffaCakes118.exe C:\Windows\SysWOW64\iexplarer .exe
PID 2056 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\27dc6b3f41d7a3c0455f4147234be0e0_JaffaCakes118.exe C:\Windows\SysWOW64\iexplarer .exe
PID 2056 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\27dc6b3f41d7a3c0455f4147234be0e0_JaffaCakes118.exe C:\Windows\SysWOW64\iexplarer .exe
PID 2056 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\27dc6b3f41d7a3c0455f4147234be0e0_JaffaCakes118.exe C:\Windows\SysWOW64\iexplarer .exe
PID 2748 wrote to memory of 2200 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2748 wrote to memory of 2200 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2748 wrote to memory of 2200 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2748 wrote to memory of 2200 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2200 wrote to memory of 1352 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2200 wrote to memory of 1352 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2200 wrote to memory of 1352 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2200 wrote to memory of 1352 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 1352 wrote to memory of 2244 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 1352 wrote to memory of 2244 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 1352 wrote to memory of 2244 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 1352 wrote to memory of 2244 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2244 wrote to memory of 864 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2244 wrote to memory of 864 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2244 wrote to memory of 864 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2244 wrote to memory of 864 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 864 wrote to memory of 2152 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 864 wrote to memory of 2152 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 864 wrote to memory of 2152 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 864 wrote to memory of 2152 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2152 wrote to memory of 2456 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2152 wrote to memory of 2456 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2152 wrote to memory of 2456 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2152 wrote to memory of 2456 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2456 wrote to memory of 2720 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2456 wrote to memory of 2720 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2456 wrote to memory of 2720 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2456 wrote to memory of 2720 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2720 wrote to memory of 2620 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2720 wrote to memory of 2620 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2720 wrote to memory of 2620 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2720 wrote to memory of 2620 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2620 wrote to memory of 1988 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2620 wrote to memory of 1988 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2620 wrote to memory of 1988 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe
PID 2620 wrote to memory of 1988 N/A C:\Windows\SysWOW64\iexplarer .exe C:\Windows\SysWOW64\iexplarer .exe

Processes

C:\Users\Admin\AppData\Local\Temp\27dc6b3f41d7a3c0455f4147234be0e0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\27dc6b3f41d7a3c0455f4147234be0e0_JaffaCakes118.exe"

C:\Windows\SysWOW64\iexplarer .exe

C:\Windows\system32\iexplarer .exe 664 "C:\Users\Admin\AppData\Local\Temp\27dc6b3f41d7a3c0455f4147234be0e0_JaffaCakes118.exe"

C:\Windows\SysWOW64\iexplarer .exe

C:\Windows\system32\iexplarer .exe 692 "C:\Windows\SysWOW64\iexplarer .exe"

C:\Windows\SysWOW64\iexplarer .exe

C:\Windows\system32\iexplarer .exe 700 "C:\Windows\SysWOW64\iexplarer .exe"

C:\Windows\SysWOW64\iexplarer .exe

C:\Windows\system32\iexplarer .exe 696 "C:\Windows\SysWOW64\iexplarer .exe"

C:\Windows\SysWOW64\iexplarer .exe

C:\Windows\system32\iexplarer .exe 712 "C:\Windows\SysWOW64\iexplarer .exe"

C:\Windows\SysWOW64\iexplarer .exe

C:\Windows\system32\iexplarer .exe 708 "C:\Windows\SysWOW64\iexplarer .exe"

C:\Windows\SysWOW64\iexplarer .exe

C:\Windows\system32\iexplarer .exe 716 "C:\Windows\SysWOW64\iexplarer .exe"

C:\Windows\SysWOW64\iexplarer .exe

C:\Windows\system32\iexplarer .exe 704 "C:\Windows\SysWOW64\iexplarer .exe"

C:\Windows\SysWOW64\iexplarer .exe

C:\Windows\system32\iexplarer .exe 724 "C:\Windows\SysWOW64\iexplarer .exe"

C:\Windows\SysWOW64\iexplarer .exe

C:\Windows\system32\iexplarer .exe 728 "C:\Windows\SysWOW64\iexplarer .exe"

Network

N/A

Files

memory/2056-0-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2056-1-0x0000000004200000-0x0000000004202000-memory.dmp

memory/2056-2-0x0000000000401000-0x0000000000422000-memory.dmp

memory/2056-3-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2056-4-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2056-5-0x0000000000400000-0x000000000061B000-memory.dmp

C:\Windows\SysWOW64\iexplarer .exe

MD5 27dc6b3f41d7a3c0455f4147234be0e0
SHA1 d958d5f0d13a5175a66645a34843423e7f5e4ece
SHA256 c7caa041ca930baf0cb3ef335b78c9e8f974a70ed0467d02d8d0123b75a3da30
SHA512 9acb8e19586db457ce04fb560827fccec68390f609899367b963fc43308914d42e93ee1f92c265c4a1999b92f05d90b1044b2d9bde509fc235c33fd376121ca4

memory/2056-19-0x0000000005130000-0x000000000534B000-memory.dmp

memory/2748-18-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2056-17-0x0000000005130000-0x000000000534B000-memory.dmp

memory/2056-16-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2748-23-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2748-21-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2748-24-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2748-25-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2748-28-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2200-32-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2748-31-0x0000000004F80000-0x000000000519B000-memory.dmp

memory/2748-30-0x0000000004F80000-0x000000000519B000-memory.dmp

memory/2200-35-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2200-34-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2200-36-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2200-40-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2200-43-0x0000000005090000-0x00000000052AB000-memory.dmp

memory/1352-42-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2200-41-0x0000000005090000-0x00000000052AB000-memory.dmp

memory/1352-45-0x0000000000400000-0x000000000061B000-memory.dmp

memory/1352-46-0x0000000000400000-0x000000000061B000-memory.dmp

memory/1352-47-0x0000000000400000-0x000000000061B000-memory.dmp

memory/1352-51-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2244-54-0x0000000000400000-0x000000000061B000-memory.dmp

memory/1352-53-0x0000000004FB0000-0x00000000051CB000-memory.dmp

memory/1352-52-0x0000000004FB0000-0x00000000051CB000-memory.dmp

memory/2244-56-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2244-59-0x0000000005040000-0x000000000525B000-memory.dmp

memory/864-61-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2244-62-0x0000000000400000-0x000000000061B000-memory.dmp

memory/864-63-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2152-67-0x0000000000400000-0x000000000061B000-memory.dmp

memory/864-69-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2152-70-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2456-74-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2152-76-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2456-77-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2720-81-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2456-83-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2720-84-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2720-88-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2620-89-0x0000000000400000-0x000000000061B000-memory.dmp

memory/1988-93-0x0000000000400000-0x000000000061B000-memory.dmp

memory/2620-95-0x0000000000400000-0x000000000061B000-memory.dmp

memory/1988-96-0x0000000000400000-0x000000000061B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 08:13

Reported

2024-07-06 08:16

Platform

win10v2004-20240704-en

Max time kernel

125s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27dc6b3f41d7a3c0455f4147234be0e0_JaffaCakes118.exe"

Signatures

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\27dc6b3f41d7a3c0455f4147234be0e0_JaffaCakes118.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\27dc6b3f41d7a3c0455f4147234be0e0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\27dc6b3f41d7a3c0455f4147234be0e0_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4432,i,4226873509039249198,15952596839998010243,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/3920-0-0x0000000000400000-0x000000000061B000-memory.dmp

memory/3920-1-0x0000000000400000-0x000000000061B000-memory.dmp