51f10247e92cf73a07aeb7539a5b2c57f09178c56809e2381ec83cab5134584c

General

Target

a46cba125a37801c9c77501ee21b145b_JaffaCakes118.exe
Size

1.9MB
MD5

a46cba125a37801c9c77501ee21b145b
SHA1

9a50e8ae5bdaf6bf79c32aeb98b2ba42591f2ee0
SHA256

51f10247e92cf73a07aeb7539a5b2c57f09178c56809e2381ec83cab5134584c
SHA512

d8724c736cea4367d33180004cbda038c3c9439272c269379589428ee82493ca8798a69a0c946e692479ae40dd313472fbcf3ccc65e4501f9cce7eab4ea2ac17
SSDEEP

49152:iim6XvjHskdH/jChigyH8fGnDadV779GrFYdJ3:iiPvz1LChfMqV7hOYP

Score

7^/10

discovery evasion themida

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	a46cba125a37801c9c77501ee21b145b_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2220	seystm.exe
4776	seystm.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine	seystm.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000900000002342e-4.dat	themida
behavioral2/memory/2220-12-0x0000000000400000-0x0000000000608000-memory.dmp	themida
behavioral2/memory/2220-19-0x0000000000400000-0x0000000000608000-memory.dmp	themida
behavioral2/memory/2220-24-0x0000000000400000-0x0000000000608000-memory.dmp	themida
behavioral2/memory/2220-18-0x0000000000400000-0x0000000000608000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2220	seystm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2220 set thread context of 4776	2220	seystm.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a46cba125a37801c9c77501ee21b145b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	seystm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	seystm.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2220	seystm.exe
2220	seystm.exe
4776	seystm.exe
4776	seystm.exe
4776	seystm.exe
4776	seystm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2220	seystm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2220	2848	a46cba125a37801c9c77501ee21b145b_JaffaCakes118.exe	85
PID 2848 wrote to memory of 2220	2848	a46cba125a37801c9c77501ee21b145b_JaffaCakes118.exe	85
PID 2848 wrote to memory of 2220	2848	a46cba125a37801c9c77501ee21b145b_JaffaCakes118.exe	85
PID 2220 wrote to memory of 4776	2220	seystm.exe	88
PID 2220 wrote to memory of 4776	2220	seystm.exe	88
PID 2220 wrote to memory of 4776	2220	seystm.exe	88
PID 2220 wrote to memory of 4776	2220	seystm.exe	88
PID 2220 wrote to memory of 4776	2220	seystm.exe	88
PID 2220 wrote to memory of 4776	2220	seystm.exe	88
PID 2220 wrote to memory of 4776	2220	seystm.exe	88
PID 4776 wrote to memory of 3416	4776	seystm.exe	56
PID 4776 wrote to memory of 3416	4776	seystm.exe	56
PID 4776 wrote to memory of 3416	4776	seystm.exe	56
PID 4776 wrote to memory of 3416	4776	seystm.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3416
- C:\Users\Admin\AppData\Local\Temp\a46cba125a37801c9c77501ee21b145b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a46cba125a37801c9c77501ee21b145b_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\seystm.exe
    "C:\Users\Admin\AppData\Local\Temp\seystm.exe"
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Users\Admin\AppData\Local\Temp\seystm.exe
      "C:\Users\Admin\AppData\Local\Temp\seystm.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\seystm.exe

Filesize
2.0MB

MD5
4edd225f35d9f7e7953f37d289ada155

SHA1
9e9ce10962df6e17690cee6db47282d35c164c01

SHA256
cb9e084bdd5967152d30993f88c8143ed5c432ff263ea6aa98b7f5dba7bc1515

SHA512
6655d30ffc3f45e9f46393fa8758b547312b500eef9c5df8752b080099598aad5dd2e507cc9679260d8091f72330e9c2a4d8a52d2d9187e3b1025bd1d1cd317e

Download Submit
memory/2220-24-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2220-27-0x0000000000401000-0x000000000043E000-memory.dmp

Filesize
244KB

Download
memory/2220-14-0x0000000002330000-0x00000000024A0000-memory.dmp

Filesize
1.4MB

Download
memory/2220-15-0x0000000000401000-0x000000000043E000-memory.dmp

Filesize
244KB

Download
memory/2220-19-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2220-12-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2220-13-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/2220-18-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/3416-29-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3416-30-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/4776-20-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4776-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4776-23-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4776-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads