09a2bf438bb5b290d6e0e5285dbebc24be3556c27f22749406d7f40141b4ae8b

General

Target

431afccadf5104debcced7a0f7439930_JaffaCakes118.exe
Size

3.6MB
MD5

431afccadf5104debcced7a0f7439930
SHA1

9034dc11a79ef914a59a6077f3bb05f691c042b8
SHA256

09a2bf438bb5b290d6e0e5285dbebc24be3556c27f22749406d7f40141b4ae8b
SHA512

40bdecb06eb2a8bf0b10d58b6b6e87f840a72dbaccbcef9a92570ab5fde81aa92635183fd0eebf4693b151d4a2270ede019d4eb3e6d68d7366c50b19c5e492f1
SSDEEP

98304:2k10VUu7hl0HMCvnFB/FRWd9qjhFEanv50:h0j0xnfE9+h+anB0

Score

7^/10

evasion persistence themida

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine	431afccadf5104debcced7a0f7439930_JaffaCakes118.exe

Themida packer 35 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1948-0-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-1-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-2-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-3-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-4-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-5-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-6-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-7-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-8-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-9-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-10-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-11-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-13-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-14-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-15-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-16-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-17-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-18-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-19-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-20-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-21-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-22-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-23-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-24-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-25-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-26-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-27-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-28-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-29-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-30-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-31-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-32-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-33-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-34-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida
behavioral1/memory/1948-35-0x0000000000400000-0x0000000001E0C000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows32 = "C:\\windows\\system\\wini.exe"	431afccadf5104debcced7a0f7439930_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Menu Iniciar\Iniciar\WindowsUpdate.exe	431afccadf5104debcced7a0f7439930_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1948	431afccadf5104debcced7a0f7439930_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1948	431afccadf5104debcced7a0f7439930_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\431afccadf5104debcced7a0f7439930_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\431afccadf5104debcced7a0f7439930_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1948-0-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-1-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-2-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-3-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-4-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-5-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-6-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-7-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-8-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-9-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-10-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-11-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-13-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-14-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-15-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-16-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-17-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-18-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-19-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-20-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-21-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-22-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-23-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-24-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-25-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-26-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-27-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-28-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-29-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-30-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-31-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-32-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-33-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-34-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download
memory/1948-35-0x0000000000400000-0x0000000001E0C000-memory.dmp

Filesize
26.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads