Overview

overview

10

Static

static

3

34abca8450...18.exe

windows7-x64

10

34abca8450...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    10-07-2024 12:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34abca8450c0c9eac650bdf18bee6dd4_JaffaCakes118.exe

  • Size

    796KB

  • MD5

    34abca8450c0c9eac650bdf18bee6dd4

  • SHA1

    95dfc1abad758ccc8f5819dabc57d7500dea144e

  • SHA256

    b9e2ce6b1a1673f8d139e08aca7a989f3d92f2f820814338ed13136c0cf70141

  • SHA512

    d601218799e20fd59ac289686693a7c0d1205d0b35d4c07aab57dcf59efc5579c9f75db41d8bbf89b121304bf7ea3e0c754cbb7d89859b9e0c54bf16d7e76a2b

  • SSDEEP

    24576:N5TZm3gZfVdpMyJ5WK+ENan+odha5GyAaK0aL68U3VRjVmPLyqduOhtkQFViUVBr:3Z3fGyJ5PRQn+Upqae8U3VRjVmPLyqdZ

Score
10/10
evasion

Malware Config

Signatures

  • Modifies security service 2 TTPs 20 IoCs
    evasion
  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 10 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 18 IoCs
  • Drops file in System32 directory 20 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
  • Runs .reg file with regedit 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34abca8450c0c9eac650bdf18bee6dd4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\34abca8450c0c9eac650bdf18bee6dd4_JaffaCakes118.exe"
    1⤵
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\a.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\SysWOW64\regedit.exe
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        3⤵
        • Modifies security service
        • Runs .reg file with regedit
        PID:2840
    • C:\Windows\SysWOW64\sysmgr.exe
      C:\Windows\system32\sysmgr.exe 740 "C:\Users\Admin\AppData\Local\Temp\34abca8450c0c9eac650bdf18bee6dd4_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\a.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2164
        • C:\Windows\SysWOW64\regedit.exe
          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
          4⤵
          • Modifies security service
          • Runs .reg file with regedit
          PID:1632
      • C:\Windows\SysWOW64\sysmgr.exe
        C:\Windows\system32\sysmgr.exe 744 "C:\Windows\SysWOW64\sysmgr.exe"
        3⤵
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1916
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c c:\a.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2628
          • C:\Windows\SysWOW64\regedit.exe
            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
            5⤵
            • Modifies security service
            • Runs .reg file with regedit
            PID:1032
        • C:\Windows\SysWOW64\sysmgr.exe
          C:\Windows\system32\sysmgr.exe 748 "C:\Windows\SysWOW64\sysmgr.exe"
          4⤵
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1684
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\a.bat
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2024
            • C:\Windows\SysWOW64\regedit.exe
              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
              6⤵
              • Modifies security service
              • Runs .reg file with regedit
              PID:752
          • C:\Windows\SysWOW64\sysmgr.exe
            C:\Windows\system32\sysmgr.exe 752 "C:\Windows\SysWOW64\sysmgr.exe"
            5⤵
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1324
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c c:\a.bat
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2724
              • C:\Windows\SysWOW64\regedit.exe
                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                7⤵
                • Modifies security service
                • Runs .reg file with regedit
                PID:2232
            • C:\Windows\SysWOW64\sysmgr.exe
              C:\Windows\system32\sysmgr.exe 756 "C:\Windows\SysWOW64\sysmgr.exe"
              6⤵
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:652
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c c:\a.bat
                7⤵
                  PID:2304
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    8⤵
                    • Modifies security service
                    • Runs .reg file with regedit
                    PID:1040
                • C:\Windows\SysWOW64\sysmgr.exe
                  C:\Windows\system32\sysmgr.exe 760 "C:\Windows\SysWOW64\sysmgr.exe"
                  7⤵
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1072
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c c:\a.bat
                    8⤵
                      PID:2216
                      • C:\Windows\SysWOW64\regedit.exe
                        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                        9⤵
                        • Modifies security service
                        • Runs .reg file with regedit
                        PID:904
                    • C:\Windows\SysWOW64\sysmgr.exe
                      C:\Windows\system32\sysmgr.exe 764 "C:\Windows\SysWOW64\sysmgr.exe"
                      8⤵
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2124
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c c:\a.bat
                        9⤵
                          PID:1596
                          • C:\Windows\SysWOW64\regedit.exe
                            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                            10⤵
                            • Modifies security service
                            • Runs .reg file with regedit
                            PID:2552
                        • C:\Windows\SysWOW64\sysmgr.exe
                          C:\Windows\system32\sysmgr.exe 768 "C:\Windows\SysWOW64\sysmgr.exe"
                          9⤵
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1552
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c c:\a.bat
                            10⤵
                              PID:880
                              • C:\Windows\SysWOW64\regedit.exe
                                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                11⤵
                                • Modifies security service
                                • Runs .reg file with regedit
                                PID:2520
                            • C:\Windows\SysWOW64\sysmgr.exe
                              C:\Windows\system32\sysmgr.exe 776 "C:\Windows\SysWOW64\sysmgr.exe"
                              10⤵
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Drops file in System32 directory
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2500
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c c:\a.bat
                                11⤵
                                  PID:2016
                                  • C:\Windows\SysWOW64\regedit.exe
                                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                    12⤵
                                    • Modifies security service
                                    • Runs .reg file with regedit
                                    PID:984

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              3KB

              MD5

              9e5db93bd3302c217b15561d8f1e299d

              SHA1

              95a5579b336d16213909beda75589fd0a2091f30

              SHA256

              f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

              SHA512

              b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              2KB

              MD5

              f82bc8865c1f6bf7125563479421f95c

              SHA1

              65c25d7af3ab1f29ef2ef1fdc67378ac9c82098d

              SHA256

              f9799dc2afb8128d1925b69fdef1d641f312ed41254dd5f4ac543cf50648a2f6

              SHA512

              00a9b7798a630779dc30296c3d0fed2589e7e86d6941f4502ea301c5bce2e80a5d8a4916e36183c7064f968b539ae6dac49094b1de3643a1a2fedc83cf558825

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              701B

              MD5

              e427a32326a6a806e7b7b4fdbbe0ed4c

              SHA1

              b10626953332aeb7c524f2a29f47ca8b0bee38b1

              SHA256

              b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839

              SHA512

              6bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              298B

              MD5

              4117e5a9c995bab9cd3bce3fc2b99a46

              SHA1

              80144ccbad81c2efb1df64e13d3d5f59ca4486da

              SHA256

              37b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292

              SHA512

              bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              576B

              MD5

              8a0897226da780b90c11da0756b361f1

              SHA1

              67f813e8733ad75a2147c59cca102a60274daeab

              SHA256

              115ff7b8bbe33e1325a2b03fb279281b79b2b9c4c0d6147c049c99da39867bee

              SHA512

              55e0e0791fb8e76fb67511ef2bfe1bdb934c857a5a555f9c72dd063250c18b17c57ff9f220c0d3cdd219828d87f5c08bfe5e198476c9d38119c4cfb099b99642

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              2KB

              MD5

              54ca6e3ef1c12b994043e85a8c9895f0

              SHA1

              5eaccfb482cbe24cf5c3203ffdc926184097427e

              SHA256

              0db388471ad17c9c9b4a0a40b2536b7a6f27b8cc96775812d48d7009acb418c0

              SHA512

              925615f057558a00fb0ed3f9faeee2b70f3dd5469376de9381a387b3666c230fc0bb5b83fd3acf0169872e3c5f747cbdaff473d7fa389a5848f3828916680626

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              1KB

              MD5

              5002319f56002f8d7ceacecf8672ce25

              SHA1

              3b26b6801be4768cc7582e29bc93facdf2a74be3

              SHA256

              f23f4854d17525744e8028db6dde6eb7d5d664b0ee1b08870c9c01b639e0124c

              SHA512

              8eae0fabc7f5a7e452abacf988a3632874c556af409da5e60c5e529524732b40f22d4e1d860ccceae87642875c819fc8a8120eceaabd25861f920c8c066a9aef

              Download Submit

            • C:\a.bat
              Filesize

              5KB

              MD5

              0019a0451cc6b9659762c3e274bc04fb

              SHA1

              5259e256cc0908f2846e532161b989f1295f479b

              SHA256

              ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

              SHA512

              314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

              Download Submit

            • \Windows\SysWOW64\sysmgr.exe
              Filesize

              796KB

              MD5

              34abca8450c0c9eac650bdf18bee6dd4

              SHA1

              95dfc1abad758ccc8f5819dabc57d7500dea144e

              SHA256

              b9e2ce6b1a1673f8d139e08aca7a989f3d92f2f820814338ed13136c0cf70141

              SHA512

              d601218799e20fd59ac289686693a7c0d1205d0b35d4c07aab57dcf59efc5579c9f75db41d8bbf89b121304bf7ea3e0c754cbb7d89859b9e0c54bf16d7e76a2b

              Download Submit

            • memory/652-637-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/652-753-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/652-757-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1072-758-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1072-878-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1072-874-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1324-636-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1324-631-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1324-514-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1324-515-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1552-1116-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1552-1000-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1552-1120-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1672-132-0x00000000052C0000-0x0000000005A48000-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1672-133-0x00000000052C0000-0x0000000005A48000-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1672-124-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1672-119-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1672-118-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1672-10-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1672-9-0x0000000000401000-0x000000000041E000-memory.dmp

              Filesize

              116KB

              Download

            • memory/1672-0-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1672-1-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1684-390-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1684-387-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1684-509-0x00000000052C0000-0x0000000005A48000-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1684-506-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1684-513-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1684-510-0x00000000052C0000-0x0000000005A48000-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1916-389-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1916-385-0x0000000005290000-0x0000000005A18000-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1916-386-0x0000000005290000-0x0000000005A18000-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1916-381-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1916-265-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/1916-264-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/2124-995-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/2124-999-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/2124-879-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/2500-1237-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/2500-1121-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/2608-263-0x00000000051A0000-0x0000000005928000-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/2608-256-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/2608-145-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/2608-147-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/2608-138-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/2608-136-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/2608-262-0x00000000051A0000-0x0000000005928000-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/2608-134-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download

            • memory/2608-260-0x0000000000400000-0x0000000000B87FAA-memory.dmp

              Filesize

              7.5MB

              Download