1910fbc91a2776d9c410c536f9eeb3b7b364bd149acc906ed99183a9f8742bcc

Analysis

max time kernel
148s
max time network
117s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 05:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
Size

1.1MB
MD5

4053a874946754cee5b6cc40db0239f0
SHA1

4163191afb2d5dcfbe228a5f15605566aa2182f8
SHA256

1910fbc91a2776d9c410c536f9eeb3b7b364bd149acc906ed99183a9f8742bcc
SHA512

64b91eefce1effdbca7cf353472f803757cb4896087c2f6f1bba7cc8c2148385a1173482ee1b39502c57a7c4833364726b4bbb4af637326ef8e9ffcfa878719c
SSDEEP

12288:z5yjx6q+6+BBChbKFEjFLGx9AwbgVNwu57/KZxc:dZZLiuFE5Gx9mVi6m

Score

7^/10

evasion themida

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2420	msnnmaneger.exe
2244	msnnmaneger.exe
2036	msnnmaneger.exe
348	msnnmaneger.exe
2080	msnnmaneger.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Wine	msnnmaneger.exe
Key opened	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Wine	msnnmaneger.exe
Key opened	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Wine	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Wine	msnnmaneger.exe
Key opened	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Wine	msnnmaneger.exe
Key opened	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Wine	msnnmaneger.exe

Loads dropped DLL 10 IoCs

pid	Process
1736	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
1736	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
2420	msnnmaneger.exe
2420	msnnmaneger.exe
2244	msnnmaneger.exe
2244	msnnmaneger.exe
2036	msnnmaneger.exe
2036	msnnmaneger.exe
348	msnnmaneger.exe
348	msnnmaneger.exe

Themida packer 46 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1736-0-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/1736-2-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/1736-3-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/files/0x00080000000122db-5.dat	themida
behavioral1/memory/2420-16-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/1736-13-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/1736-11-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2420-17-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2420-18-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2420-19-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2420-21-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2420-22-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2420-23-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2420-24-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2420-25-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2420-26-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2420-27-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2420-32-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2244-34-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2244-35-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2244-36-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2244-37-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2244-38-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2244-39-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2244-40-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2244-41-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2244-42-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2244-46-0x0000000004480000-0x00000000046A3000-memory.dmp	themida
behavioral1/memory/2244-47-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2036-49-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2036-50-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2036-51-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2036-52-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2036-53-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2036-54-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2036-55-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2036-56-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2036-57-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/348-63-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2036-62-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/348-64-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/348-65-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/348-70-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2080-71-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2080-72-0x0000000000400000-0x0000000000623000-memory.dmp	themida
behavioral1/memory/2080-73-0x0000000000400000-0x0000000000623000-memory.dmp	themida

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msnnmaneger.exe	msnnmaneger.exe
File created	C:\Windows\SysWOW64\msnnmaneger.exe	msnnmaneger.exe
File created	C:\Windows\SysWOW64\msnnmaneger.exe	msnnmaneger.exe
File created	C:\Windows\SysWOW64\msnnmaneger.exe	msnnmaneger.exe
File created	C:\Windows\SysWOW64\msnnmaneger.exe	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msnnmaneger.exe	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msnnmaneger.exe	msnnmaneger.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1736	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
1736	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
1736	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
1736	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
1736	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
1736	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
1736	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
1736	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
1736	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
1736	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
1736	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
1736	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
1736	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
2420	msnnmaneger.exe
2420	msnnmaneger.exe
2420	msnnmaneger.exe
2420	msnnmaneger.exe
2420	msnnmaneger.exe
2420	msnnmaneger.exe
2420	msnnmaneger.exe
2420	msnnmaneger.exe
2420	msnnmaneger.exe
2420	msnnmaneger.exe
2420	msnnmaneger.exe
2420	msnnmaneger.exe
2420	msnnmaneger.exe
2244	msnnmaneger.exe
2244	msnnmaneger.exe
2244	msnnmaneger.exe
2244	msnnmaneger.exe
2244	msnnmaneger.exe
2244	msnnmaneger.exe
2244	msnnmaneger.exe
2244	msnnmaneger.exe
2244	msnnmaneger.exe
2244	msnnmaneger.exe
2244	msnnmaneger.exe
2244	msnnmaneger.exe
2244	msnnmaneger.exe
2036	msnnmaneger.exe
2036	msnnmaneger.exe
2036	msnnmaneger.exe
2036	msnnmaneger.exe
2036	msnnmaneger.exe
2036	msnnmaneger.exe
2036	msnnmaneger.exe
2036	msnnmaneger.exe
2036	msnnmaneger.exe
2036	msnnmaneger.exe
2036	msnnmaneger.exe
2036	msnnmaneger.exe
2036	msnnmaneger.exe
348	msnnmaneger.exe
348	msnnmaneger.exe
348	msnnmaneger.exe
348	msnnmaneger.exe
348	msnnmaneger.exe
348	msnnmaneger.exe
348	msnnmaneger.exe
2080	msnnmaneger.exe
2080	msnnmaneger.exe
2080	msnnmaneger.exe
2080	msnnmaneger.exe
2080	msnnmaneger.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2420	1736	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe	31
PID 1736 wrote to memory of 2420	1736	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe	31
PID 1736 wrote to memory of 2420	1736	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe	31
PID 1736 wrote to memory of 2420	1736	4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2244	2420	msnnmaneger.exe	32
PID 2420 wrote to memory of 2244	2420	msnnmaneger.exe	32
PID 2420 wrote to memory of 2244	2420	msnnmaneger.exe	32
PID 2420 wrote to memory of 2244	2420	msnnmaneger.exe	32
PID 2244 wrote to memory of 2036	2244	msnnmaneger.exe	33
PID 2244 wrote to memory of 2036	2244	msnnmaneger.exe	33
PID 2244 wrote to memory of 2036	2244	msnnmaneger.exe	33
PID 2244 wrote to memory of 2036	2244	msnnmaneger.exe	33
PID 2036 wrote to memory of 348	2036	msnnmaneger.exe	34
PID 2036 wrote to memory of 348	2036	msnnmaneger.exe	34
PID 2036 wrote to memory of 348	2036	msnnmaneger.exe	34
PID 2036 wrote to memory of 348	2036	msnnmaneger.exe	34
PID 348 wrote to memory of 2080	348	msnnmaneger.exe	35
PID 348 wrote to memory of 2080	348	msnnmaneger.exe	35
PID 348 wrote to memory of 2080	348	msnnmaneger.exe	35
PID 348 wrote to memory of 2080	348	msnnmaneger.exe	35

C:\Users\Admin\AppData\Local\Temp\4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\msnnmaneger.exe
  C:\Windows\system32\msnnmaneger.exe -bai C:\Users\Admin\AppData\Local\Temp\4053a874946754cee5b6cc40db0239f0_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\msnnmaneger.exe
    C:\Windows\system32\msnnmaneger.exe -bai C:\Windows\SysWOW64\msnnmaneger.exe
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\SysWOW64\msnnmaneger.exe
      C:\Windows\system32\msnnmaneger.exe -bai C:\Windows\SysWOW64\msnnmaneger.exe
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Windows\SysWOW64\msnnmaneger.exe
        
        C:\Windows\system32\msnnmaneger.exe -bai C:\Windows\SysWOW64\msnnmaneger.exe
        5⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:348
      - C:\Windows\SysWOW64\msnnmaneger.exe
        
        C:\Windows\system32\msnnmaneger.exe -bai C:\Windows\SysWOW64\msnnmaneger.exe
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\msnnmaneger.exe

Filesize
1.1MB

MD5
4053a874946754cee5b6cc40db0239f0

SHA1
4163191afb2d5dcfbe228a5f15605566aa2182f8

SHA256
1910fbc91a2776d9c410c536f9eeb3b7b364bd149acc906ed99183a9f8742bcc

SHA512
64b91eefce1effdbca7cf353472f803757cb4896087c2f6f1bba7cc8c2148385a1173482ee1b39502c57a7c4833364726b4bbb4af637326ef8e9ffcfa878719c

Download Submit
memory/348-65-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/348-63-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/348-64-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/348-70-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/1736-1-0x0000000000401000-0x0000000000418000-memory.dmp

Filesize
92KB

Download
memory/1736-2-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/1736-3-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/1736-14-0x0000000004490000-0x00000000046B3000-memory.dmp

Filesize
2.1MB

Download
memory/1736-0-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/1736-13-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/1736-11-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2036-55-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2036-62-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2036-57-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2036-56-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2036-49-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2036-54-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2036-53-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2036-52-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2036-51-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2036-50-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2080-71-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2080-72-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2080-73-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2244-37-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2244-39-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2244-40-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2244-41-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2244-42-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2244-46-0x0000000004480000-0x00000000046A3000-memory.dmp

Filesize
2.1MB

Download
memory/2244-47-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2244-38-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2244-36-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2244-35-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2244-34-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2420-33-0x00000000044B0000-0x00000000046D3000-memory.dmp

Filesize
2.1MB

Download
memory/2420-32-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2420-27-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2420-26-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2420-25-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2420-24-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2420-23-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2420-22-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2420-21-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2420-19-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2420-18-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2420-17-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2420-16-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download