Overview

overview

7

Static

static

7

4558211494...18.exe

windows7-x64

7

4558211494...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14/07/2024, 10:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    45582114945d1fb2d4bc5a626f75bf60_JaffaCakes118.exe

  • Size

    550KB

  • MD5

    45582114945d1fb2d4bc5a626f75bf60

  • SHA1

    3f01f80dfe07cb420965175b3e192220ec5a6d9e

  • SHA256

    f52f03178d1abedc256d9c4d1fee4ab5e417a65c4b069fc2ade8f464aed8f4bb

  • SHA512

    725bba5a24b8e4ece2c3d7866e0a26a4a5ff7e7fd3f893d15151efc08fb9fdf2ef0131ccca26a241d9911a98b74fc807d480cc7288b8b1bdb4018bed610eb3be

  • SSDEEP

    12288:V7UnT+Uyn8PbaT3fmHcsdszHIeCl5mh31A7WfTevqzInArL:V7KrynQDdsHCnmVNev6rrL

Score
7/10
evasionthemida

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\45582114945d1fb2d4bc5a626f75bf60_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\45582114945d1fb2d4bc5a626f75bf60_JaffaCakes118.exe"
        2⤵
        • Identifies Wine through registry keys
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2080
        • C:\Windows\server.exe
          "C:\Windows\server.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2696
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Drops file in System32 directory
      • Suspicious use of FindShellTrayWindow
      PID:2652

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\el.jpg
      Filesize

      3KB

      MD5

      9016083302c650b69d27c64947eb7da5

      SHA1

      c3d9441ccb6447af05e6d02b321c1c365a95f93d

      SHA256

      989851962c21095087a4055ccf932dbcc811c4e55df2299a0a674821d67d51d7

      SHA512

      870e8434a54f59ac1626010d6589e8d220ab863ddbcd7ac562c36c890fdc2be3917f2b265a05a773a1806185c9da60aa25d911a763509935a9e60ad8f2920806

      Download Submit

    • C:\Windows\server.exe
      Filesize

      50KB

      MD5

      565fe7180d135cb5e7b26f38a7319b4e

      SHA1

      f92f55e5cb2589cfed7e6c6c4508cb11a622979c

      SHA256

      d513fa5f9d9fd5e9a0f80ea3abf61e006445815e157405fb04d410005aed4713

      SHA512

      3fd490c5ba8b69dc99a56b31a8ce3cd0a2da772010f9af9e8c8df16bc265bd77a37d0917bc15c5cbfd9af1c9133cd636b518476f89260e04dd8566752da01a08

      Download Submit

    • memory/1204-19-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1204-25-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2080-13-0x00000000045D0000-0x00000000045D9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2080-4-0x0000000000400000-0x0000000000521000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2080-12-0x00000000045D0000-0x00000000045D9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2080-0-0x0000000000400000-0x0000000000521000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2080-5-0x0000000000400000-0x0000000000521000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2080-39-0x0000000004820000-0x0000000004822000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2080-41-0x0000000000400000-0x0000000000521000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2080-2-0x0000000000401000-0x0000000000402000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2652-40-0x0000000000160000-0x0000000000162000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2652-42-0x00000000002A0000-0x00000000002A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2652-44-0x00000000002A0000-0x00000000002A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2696-16-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2696-37-0x0000000010000000-0x0000000010011000-memory.dmp

      Filesize

      68KB

      Download