94766e2d76a4bafc0889e438aab0e05bdee2de1320905d53cd526ba678183a0d

General

Target

ab5cd27398539b28a1e1cf3ef54edb31_JaffaCakes118.exe
Size

5.0MB
MD5

ab5cd27398539b28a1e1cf3ef54edb31
SHA1

15ebc19d49be4e756f7cc1e96b876459ff95de3c
SHA256

94766e2d76a4bafc0889e438aab0e05bdee2de1320905d53cd526ba678183a0d
SHA512

b345370de6b3ee2e095eeaa7f3fd628a9465bf32e519b1536b3c29ea9f3aa28ddb7b8d3b396e3afcf90a15ba069866e1c97ec2e065fe259527110134ff71025d
SSDEEP

98304:n+7YYGuC5Tp6/UqE9KWlCseQgnidWh1D1h3fxhZPsh:n4OJ5Tp6/S9Keh3gnU81phWh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2016	tuto.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine	ab5cd27398539b28a1e1cf3ef54edb31_JaffaCakes118.exe

Themida packer 27 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2456-0-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-6-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-7-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-12-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-14-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-15-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-16-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-18-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-19-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-20-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-21-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-22-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-23-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-24-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-25-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-26-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-27-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-28-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-29-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-30-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-31-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-32-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-33-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-34-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-35-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-36-0x0000000000400000-0x0000000000F56000-memory.dmp	themida
behavioral1/memory/2456-37-0x0000000000400000-0x0000000000F56000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avg = "C:\\Arquivos de programas\\avg.exe"	ab5cd27398539b28a1e1cf3ef54edb31_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\System32\\svchosts.exe"	ab5cd27398539b28a1e1cf3ef54edb31_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\PLUG.SYS	ab5cd27398539b28a1e1cf3ef54edb31_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svchosts.exe	ab5cd27398539b28a1e1cf3ef54edb31_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	ab5cd27398539b28a1e1cf3ef54edb31_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\Gbuster	ab5cd27398539b28a1e1cf3ef54edb31_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab5cd27398539b28a1e1cf3ef54edb31_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2456	ab5cd27398539b28a1e1cf3ef54edb31_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2456	ab5cd27398539b28a1e1cf3ef54edb31_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2824	2456	ab5cd27398539b28a1e1cf3ef54edb31_JaffaCakes118.exe	29
PID 2456 wrote to memory of 2824	2456	ab5cd27398539b28a1e1cf3ef54edb31_JaffaCakes118.exe	29
PID 2456 wrote to memory of 2824	2456	ab5cd27398539b28a1e1cf3ef54edb31_JaffaCakes118.exe	29
PID 2456 wrote to memory of 2824	2456	ab5cd27398539b28a1e1cf3ef54edb31_JaffaCakes118.exe	29
PID 2824 wrote to memory of 2016	2824	cmd.exe	31
PID 2824 wrote to memory of 2016	2824	cmd.exe	31
PID 2824 wrote to memory of 2016	2824	cmd.exe	31
PID 2824 wrote to memory of 2016	2824	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\ab5cd27398539b28a1e1cf3ef54edb31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ab5cd27398539b28a1e1cf3ef54edb31_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd /k C:\tuto.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\tuto.exe
    C:\tuto.exe
    3⤵
    - Executes dropped EXE
    PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\tuto.exe

Filesize
14KB

MD5
251b9e5ea854eca172eb5a1ea480c718

SHA1
f2d3a641f762ebafce3fe60ba1bf764cd2a6bbec

SHA256
4ea747bcd91bc5fc5025b7eb4d4cbba6672a00361285550cb4ca55ad57c95337

SHA512
a850de833b3744d31ded0e72549b16614cea9f66a2c989505914de4600c4ffcde842a658d629e0980586cb2c424c3c946e148051a6c82f6ae987da8202d0f8bd

Download Submit
memory/2016-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2456-21-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-23-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-6-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-7-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-2-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2456-1-0x0000000000FD0000-0x00000000010C8000-memory.dmp

Filesize
992KB

Download
memory/2456-12-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-13-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2456-14-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-15-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-16-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-18-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-19-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-20-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-3-0x0000000000401000-0x000000000046B000-memory.dmp

Filesize
424KB

Download
memory/2456-0-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-25-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-24-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-22-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-26-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-27-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-28-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-29-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-30-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-31-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-32-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-33-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-34-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-35-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-36-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download
memory/2456-37-0x0000000000400000-0x0000000000F56000-memory.dmp

Filesize
11.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads