93d9dfc1bb2b7174ed336d42519f5803105542f3af76ade88f8aa2e57ad556b0

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c1fef53ecfde441b199ce5c8c5342ec_JaffaCakes118.exe
Size

462KB
MD5

3c1fef53ecfde441b199ce5c8c5342ec
SHA1

df15b1af98082fcafb42dbd45bea357a2580521d
SHA256

93d9dfc1bb2b7174ed336d42519f5803105542f3af76ade88f8aa2e57ad556b0
SHA512

cdb43c30b002cebe35b26486163d4cd6032e863e71453fb9d207297c1a1af7381a2779b780fcbda5b3f24f626c705dc04b134b580740ae079594dd4d4e909733
SSDEEP

6144:7Sl182SYy3gnmRQzS94ZezDap8S5ejvhtC/t3StQuQH7hMPzgQWiG3pbgIZXvLEx:L2Rw4U4Zd5Cvh4duQHlMrNTQbDvgA+oa

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/4944-0-0x0000000000400000-0x00000000005D024F-memory.dmp	themida

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4560	4944	WerFault.exe	83

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\IESettingSync	3c1fef53ecfde441b199ce5c8c5342ec_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	3c1fef53ecfde441b199ce5c8c5342ec_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	3c1fef53ecfde441b199ce5c8c5342ec_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	3c1fef53ecfde441b199ce5c8c5342ec_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4944	3c1fef53ecfde441b199ce5c8c5342ec_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4944	3c1fef53ecfde441b199ce5c8c5342ec_JaffaCakes118.exe
4944	3c1fef53ecfde441b199ce5c8c5342ec_JaffaCakes118.exe
4944	3c1fef53ecfde441b199ce5c8c5342ec_JaffaCakes118.exe
4944	3c1fef53ecfde441b199ce5c8c5342ec_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3c1fef53ecfde441b199ce5c8c5342ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c1fef53ecfde441b199ce5c8c5342ec_JaffaCakes118.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2132
  2⤵
  - Program crash
  PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4944 -ip 4944
1⤵
PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4944-0-0x0000000000400000-0x00000000005D024F-memory.dmp

Filesize
1.8MB

Download
memory/4944-1-0x0000000000401000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4944-3-0x0000000000400000-0x00000000005D024F-memory.dmp

Filesize
1.8MB

Download
memory/4944-2-0x0000000000400000-0x00000000005D024F-memory.dmp

Filesize
1.8MB

Download
memory/4944-10-0x0000000000400000-0x00000000005D024F-memory.dmp

Filesize
1.8MB

Download
memory/4944-11-0x0000000000401000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download