7c87b7953ba0b604fea3b5ada686c8131127b3ec984f9ab5a692f0e8ac03a171

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe
Size

1.9MB
MD5

330a174212b873f5ffcbba229ae046fd
SHA1

bdc946075395586c83c1c837ce81cef654d42cc8
SHA256

7c87b7953ba0b604fea3b5ada686c8131127b3ec984f9ab5a692f0e8ac03a171
SHA512

17dbc8df5143b31bafaf19d1075b5ca529cb16ebb9840157cd67ae54550483635cbab207bb94a99730198dbc04f238e37b1bb90bd4e75bd9d2e3aee5e67595c1
SSDEEP

49152:CElYNxvF0vNNF/UXGh6zv0HdyAC0P2YiH:CjN1FANF/UXGgzs52YE

Score

10^/10

evasion persistence themida

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2548	fservice.exe
1252	services.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine	fservice.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine	services.exe

Loads dropped DLL 6 IoCs

pid	Process
2448	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe
2448	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe
1252	services.exe
1252	services.exe
2548	fservice.exe
2448	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe

Themida packer 31 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2448-0-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/2448-10-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/files/0x0005000000011c2f-17.dat	themida
behavioral1/memory/2548-19-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/2548-20-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/2548-22-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/2448-28-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/2548-29-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/2548-24-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-39-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-38-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-37-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-43-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/2548-53-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/2448-55-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-57-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-58-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-59-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-60-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-61-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-62-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-63-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-64-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-65-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-66-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-67-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-68-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-69-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-70-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-71-0x0000000000400000-0x0000000000919000-memory.dmp	themida
behavioral1/memory/1252-72-0x0000000000400000-0x0000000000919000-memory.dmp	themida

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fservice.exe	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\system\sservice.exe	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe
File opened for modification	C:\Windows\system\sservice.exe	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2448	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe
2548	fservice.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe
1252	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1252	services.exe
1252	services.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2548	2448	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe	30
PID 2448 wrote to memory of 2548	2448	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe	30
PID 2448 wrote to memory of 2548	2448	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe	30
PID 2448 wrote to memory of 2548	2448	330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe	30
PID 2548 wrote to memory of 1252	2548	fservice.exe	31
PID 2548 wrote to memory of 1252	2548	fservice.exe	31
PID 2548 wrote to memory of 1252	2548	fservice.exe	31
PID 2548 wrote to memory of 1252	2548	fservice.exe	31
PID 1252 wrote to memory of 572	1252	services.exe	32
PID 1252 wrote to memory of 572	1252	services.exe	32
PID 1252 wrote to memory of 572	1252	services.exe	32
PID 1252 wrote to memory of 572	1252	services.exe	32
PID 1252 wrote to memory of 744	1252	services.exe	33
PID 1252 wrote to memory of 744	1252	services.exe	33
PID 1252 wrote to memory of 744	1252	services.exe	33
PID 1252 wrote to memory of 744	1252	services.exe	33
PID 744 wrote to memory of 1636	744	NET.exe	36
PID 744 wrote to memory of 1636	744	NET.exe	36
PID 744 wrote to memory of 1636	744	NET.exe	36
PID 744 wrote to memory of 1636	744	NET.exe	36
PID 572 wrote to memory of 2028	572	NET.exe	37
PID 572 wrote to memory of 2028	572	NET.exe	37
PID 572 wrote to memory of 2028	572	NET.exe	37
PID 572 wrote to memory of 2028	572	NET.exe	37

C:\Users\Admin\AppData\Local\Temp\330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\330a174212b873f5ffcbba229ae046fd_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Identifies Wine through registry keys
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\fservice.exe
  C:\Windows\system32\fservice.exe
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\services.exe
    C:\Windows\services.exe -XP
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP srservice
      4⤵
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP srservice
        5⤵
        
        PID:2028
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP navapsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:744
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        5⤵
        
        PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\fservice.exe

Filesize
1.9MB

MD5
330a174212b873f5ffcbba229ae046fd

SHA1
bdc946075395586c83c1c837ce81cef654d42cc8

SHA256
7c87b7953ba0b604fea3b5ada686c8131127b3ec984f9ab5a692f0e8ac03a171

SHA512
17dbc8df5143b31bafaf19d1075b5ca529cb16ebb9840157cd67ae54550483635cbab207bb94a99730198dbc04f238e37b1bb90bd4e75bd9d2e3aee5e67595c1

Download Submit
\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
5f388e8729fdfc74a6af23432b11c6af

SHA1
ddab45676d26f938fc2115c34a8f91c10fdcd2bf

SHA256
370bd699b48d4901c8b984f2424530d16803755b7429d974b315fa71752c8eae

SHA512
b6f23eca922a797a36054b74f4719af3aa9dc611563eadaa82cb9a5a19e466484ec85a0ba6dcad2755d44c709c3a6cf15021d4750f67ad544e3c1f1908bc5756

Download Submit
\Windows\SysWOW64\winkey.dll

Filesize
24KB

MD5
43e7d9b875c921ba6be38d45540fb9dd

SHA1
f22a73fc0d4aa3ea6c0b8f61d974b028f308acc4

SHA256
f1b2b0abe844e6ba812c7f8709a463a7f6c56fa6ac38d376a0739cc3469f795b

SHA512
2e74e23c0875b69b82319391c392132f28f4eb45aa412805130382498ae48969a06a2b3a7528b626fa7d7ddb6b006f19f0ef8d73cf73cb9a0c0df44a21077622

Download Submit
memory/1252-68-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1252-66-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1252-39-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1252-63-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1252-38-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1252-61-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1252-37-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1252-60-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1252-59-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1252-71-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1252-58-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1252-70-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1252-69-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1252-65-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1252-64-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1252-62-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1252-72-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1252-67-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1252-57-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1252-43-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2448-2-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2448-1-0x0000000002170000-0x0000000002269000-memory.dmp

Filesize
996KB

Download
memory/2448-5-0x0000000000401000-0x0000000000472000-memory.dmp

Filesize
452KB

Download
memory/2448-55-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2448-41-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2448-28-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2448-21-0x0000000005660000-0x0000000005B79000-memory.dmp

Filesize
5.1MB

Download
memory/2448-0-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2448-18-0x0000000005660000-0x0000000005B79000-memory.dmp

Filesize
5.1MB

Download
memory/2448-3-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2448-10-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2448-4-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/2548-20-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2548-53-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2548-36-0x0000000005800000-0x0000000005D19000-memory.dmp

Filesize
5.1MB

Download
memory/2548-34-0x0000000005800000-0x0000000005D19000-memory.dmp

Filesize
5.1MB

Download
memory/2548-24-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2548-29-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2548-22-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2548-19-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download