d72873cbf42783f9311aef41e03026b543cab51eb823e4747eb7e841dd4a0eef

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

307561f9490eb60be89f6aee2e17008d_JaffaCakes118.exe
Size

433KB
MD5

307561f9490eb60be89f6aee2e17008d
SHA1

bc7a9aba3b616f49c83094d97d1ee5c022d9df77
SHA256

d72873cbf42783f9311aef41e03026b543cab51eb823e4747eb7e841dd4a0eef
SHA512

0ea72c51913d33ccf0da19038148d2e086f69c70c3c17b149b02af69e2ab2e12e3a24297215bab64bb1b391be3fb420d7611ca1ba707f774bd26d19b6ded8e0e
SSDEEP

12288:TD/nJIJyK7tIXjdxbgktGYWwanqPn1PO4WbJPK:rQytGTwUGQ

Score

7^/10

evasion

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
592	winini.exe
1708	winini.exe
584	winini.exe
2284	winini.exe
1288	winini.exe
808	winini.exe
1756	winini.exe
2748	winini.exe
2752	winini.exe
2244	winini.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine	winini.exe
Key opened	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine	winini.exe
Key opened	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine	winini.exe
Key opened	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine	winini.exe
Key opened	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine	winini.exe
Key opened	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine	winini.exe
Key opened	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine	winini.exe
Key opened	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine	winini.exe
Key opened	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine	winini.exe
Key opened	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine	307561f9490eb60be89f6aee2e17008d_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine	winini.exe

Loads dropped DLL 20 IoCs

pid	Process
1564	307561f9490eb60be89f6aee2e17008d_JaffaCakes118.exe
1564	307561f9490eb60be89f6aee2e17008d_JaffaCakes118.exe
592	winini.exe
592	winini.exe
1708	winini.exe
1708	winini.exe
584	winini.exe
584	winini.exe
2284	winini.exe
2284	winini.exe
1288	winini.exe
1288	winini.exe
808	winini.exe
808	winini.exe
1756	winini.exe
1756	winini.exe
2748	winini.exe
2748	winini.exe
2752	winini.exe
2752	winini.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winini.exe	307561f9490eb60be89f6aee2e17008d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\winini.exe	307561f9490eb60be89f6aee2e17008d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\winini.exe	winini.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 592	1564	307561f9490eb60be89f6aee2e17008d_JaffaCakes118.exe	30
PID 1564 wrote to memory of 592	1564	307561f9490eb60be89f6aee2e17008d_JaffaCakes118.exe	30
PID 1564 wrote to memory of 592	1564	307561f9490eb60be89f6aee2e17008d_JaffaCakes118.exe	30
PID 1564 wrote to memory of 592	1564	307561f9490eb60be89f6aee2e17008d_JaffaCakes118.exe	30
PID 592 wrote to memory of 1708	592	winini.exe	32
PID 592 wrote to memory of 1708	592	winini.exe	32
PID 592 wrote to memory of 1708	592	winini.exe	32
PID 592 wrote to memory of 1708	592	winini.exe	32
PID 1708 wrote to memory of 584	1708	winini.exe	33
PID 1708 wrote to memory of 584	1708	winini.exe	33
PID 1708 wrote to memory of 584	1708	winini.exe	33
PID 1708 wrote to memory of 584	1708	winini.exe	33
PID 584 wrote to memory of 2284	584	winini.exe	34
PID 584 wrote to memory of 2284	584	winini.exe	34
PID 584 wrote to memory of 2284	584	winini.exe	34
PID 584 wrote to memory of 2284	584	winini.exe	34
PID 2284 wrote to memory of 1288	2284	winini.exe	35
PID 2284 wrote to memory of 1288	2284	winini.exe	35
PID 2284 wrote to memory of 1288	2284	winini.exe	35
PID 2284 wrote to memory of 1288	2284	winini.exe	35
PID 1288 wrote to memory of 808	1288	winini.exe	36
PID 1288 wrote to memory of 808	1288	winini.exe	36
PID 1288 wrote to memory of 808	1288	winini.exe	36
PID 1288 wrote to memory of 808	1288	winini.exe	36
PID 808 wrote to memory of 1756	808	winini.exe	37
PID 808 wrote to memory of 1756	808	winini.exe	37
PID 808 wrote to memory of 1756	808	winini.exe	37
PID 808 wrote to memory of 1756	808	winini.exe	37
PID 1756 wrote to memory of 2748	1756	winini.exe	38
PID 1756 wrote to memory of 2748	1756	winini.exe	38
PID 1756 wrote to memory of 2748	1756	winini.exe	38
PID 1756 wrote to memory of 2748	1756	winini.exe	38
PID 2748 wrote to memory of 2752	2748	winini.exe	39
PID 2748 wrote to memory of 2752	2748	winini.exe	39
PID 2748 wrote to memory of 2752	2748	winini.exe	39
PID 2748 wrote to memory of 2752	2748	winini.exe	39
PID 2752 wrote to memory of 2244	2752	winini.exe	40
PID 2752 wrote to memory of 2244	2752	winini.exe	40
PID 2752 wrote to memory of 2244	2752	winini.exe	40
PID 2752 wrote to memory of 2244	2752	winini.exe	40

C:\Users\Admin\AppData\Local\Temp\307561f9490eb60be89f6aee2e17008d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\307561f9490eb60be89f6aee2e17008d_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\SysWOW64\winini.exe
  C:\Windows\system32\winini.exe 636 "C:\Users\Admin\AppData\Local\Temp\307561f9490eb60be89f6aee2e17008d_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\SysWOW64\winini.exe
    C:\Windows\system32\winini.exe 688 "C:\Windows\SysWOW64\winini.exe"
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\SysWOW64\winini.exe
      C:\Windows\system32\winini.exe 692 "C:\Windows\SysWOW64\winini.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:584
    - - C:\Windows\SysWOW64\winini.exe
        
        C:\Windows\system32\winini.exe 696 "C:\Windows\SysWOW64\winini.exe"
        5⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Windows\SysWOW64\winini.exe
        
        C:\Windows\system32\winini.exe 704 "C:\Windows\SysWOW64\winini.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\winini.exe
        
        C:\Windows\system32\winini.exe 700 "C:\Windows\SysWOW64\winini.exe"
        7⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\winini.exe
        
        C:\Windows\system32\winini.exe 708 "C:\Windows\SysWOW64\winini.exe"
        8⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\winini.exe
        
        C:\Windows\system32\winini.exe 716 "C:\Windows\SysWOW64\winini.exe"
        9⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\winini.exe
        
        C:\Windows\system32\winini.exe 712 "C:\Windows\SysWOW64\winini.exe"
        10⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\winini.exe
        
        C:\Windows\system32\winini.exe 724 "C:\Windows\SysWOW64\winini.exe"
        11⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winini.exe

Filesize
433KB

MD5
307561f9490eb60be89f6aee2e17008d

SHA1
bc7a9aba3b616f49c83094d97d1ee5c022d9df77

SHA256
d72873cbf42783f9311aef41e03026b543cab51eb823e4747eb7e841dd4a0eef

SHA512
0ea72c51913d33ccf0da19038148d2e086f69c70c3c17b149b02af69e2ab2e12e3a24297215bab64bb1b391be3fb420d7611ca1ba707f774bd26d19b6ded8e0e

Download Submit
memory/584-49-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/584-47-0x0000000004730000-0x000000000487E000-memory.dmp

Filesize
1.3MB

Download
memory/584-43-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/584-42-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/584-40-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/592-23-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/592-21-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/592-19-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/592-31-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/592-29-0x0000000004740000-0x000000000488E000-memory.dmp

Filesize
1.3MB

Download
memory/592-24-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/592-25-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/808-64-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/808-61-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/808-69-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1288-63-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1288-54-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1288-60-0x0000000004640000-0x000000000478E000-memory.dmp

Filesize
1.3MB

Download
memory/1288-56-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1564-2-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1564-5-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1564-18-0x0000000004690000-0x00000000047DE000-memory.dmp

Filesize
1.3MB

Download
memory/1564-3-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1564-4-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1564-17-0x0000000004690000-0x00000000047DE000-memory.dmp

Filesize
1.3MB

Download
memory/1564-1-0x0000000000401000-0x0000000000413000-memory.dmp

Filesize
72KB

Download
memory/1564-9-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1564-0-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1708-30-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1708-34-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1708-32-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1708-36-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1708-38-0x0000000004740000-0x000000000488E000-memory.dmp

Filesize
1.3MB

Download
memory/1756-75-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1756-68-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1756-70-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2244-88-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2244-86-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2284-50-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2284-48-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2284-55-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2748-74-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2748-76-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2748-81-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2752-80-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2752-82-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2752-87-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads