295ca3823bbe0aa9e84077f8f92b0f2cf3e063127056e6932c23d2c87d1dedfe

General

Target

b5838f3d277bd1ab5b86a67468463931_JaffaCakes118.exe
Size

1.9MB
MD5

b5838f3d277bd1ab5b86a67468463931
SHA1

0ec26215be7fcb2b5de86510c2116c7a29652a22
SHA256

295ca3823bbe0aa9e84077f8f92b0f2cf3e063127056e6932c23d2c87d1dedfe
SHA512

4f4796effcb898001f7b2a480889d7194d6e510b198d7a7c5087a83d5fc97ece092f4610533feb0c16de783e5c8fd257ef4ea3a3822f27c02544597b095d7729
SSDEEP

49152:iim6XV8BcjAA1DIkQ3BqWYQeeNv51JuEPhmSOLyGoZHW2e8:iiPuBcAwsHO8Nv51EEPhRO/R2e8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1244	seystm.exe
2736	seystm.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	seystm.exe

Loads dropped DLL 3 IoCs

pid	Process
1500	b5838f3d277bd1ab5b86a67468463931_JaffaCakes118.exe
1500	b5838f3d277bd1ab5b86a67468463931_JaffaCakes118.exe
1244	seystm.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000c0000000120dc-3.dat	themida
behavioral1/memory/1244-12-0x0000000000400000-0x000000000061B000-memory.dmp	themida
behavioral1/memory/1500-9-0x00000000036C0000-0x00000000038DB000-memory.dmp	themida
behavioral1/memory/1244-18-0x0000000000400000-0x000000000061B000-memory.dmp	themida
behavioral1/memory/1244-28-0x0000000000400000-0x000000000061B000-memory.dmp	themida
behavioral1/memory/1244-23-0x0000000000400000-0x000000000061B000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1244	seystm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1244 set thread context of 2736	1244	seystm.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5838f3d277bd1ab5b86a67468463931_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	seystm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	seystm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1244	seystm.exe
2736	seystm.exe
2736	seystm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1244	seystm.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1244	1500	b5838f3d277bd1ab5b86a67468463931_JaffaCakes118.exe	30
PID 1500 wrote to memory of 1244	1500	b5838f3d277bd1ab5b86a67468463931_JaffaCakes118.exe	30
PID 1500 wrote to memory of 1244	1500	b5838f3d277bd1ab5b86a67468463931_JaffaCakes118.exe	30
PID 1500 wrote to memory of 1244	1500	b5838f3d277bd1ab5b86a67468463931_JaffaCakes118.exe	30
PID 1500 wrote to memory of 1244	1500	b5838f3d277bd1ab5b86a67468463931_JaffaCakes118.exe	30
PID 1500 wrote to memory of 1244	1500	b5838f3d277bd1ab5b86a67468463931_JaffaCakes118.exe	30
PID 1500 wrote to memory of 1244	1500	b5838f3d277bd1ab5b86a67468463931_JaffaCakes118.exe	30
PID 1244 wrote to memory of 2736	1244	seystm.exe	31
PID 1244 wrote to memory of 2736	1244	seystm.exe	31
PID 1244 wrote to memory of 2736	1244	seystm.exe	31
PID 1244 wrote to memory of 2736	1244	seystm.exe	31
PID 1244 wrote to memory of 2736	1244	seystm.exe	31
PID 1244 wrote to memory of 2736	1244	seystm.exe	31
PID 1244 wrote to memory of 2736	1244	seystm.exe	31
PID 1244 wrote to memory of 2736	1244	seystm.exe	31
PID 1244 wrote to memory of 2736	1244	seystm.exe	31
PID 1244 wrote to memory of 2736	1244	seystm.exe	31
PID 1244 wrote to memory of 2736	1244	seystm.exe	31
PID 2736 wrote to memory of 1168	2736	seystm.exe	20
PID 2736 wrote to memory of 1168	2736	seystm.exe	20
PID 2736 wrote to memory of 1168	2736	seystm.exe	20
PID 2736 wrote to memory of 1168	2736	seystm.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1168
- C:\Users\Admin\AppData\Local\Temp\b5838f3d277bd1ab5b86a67468463931_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b5838f3d277bd1ab5b86a67468463931_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\seystm.exe
    "C:\Users\Admin\AppData\Local\Temp\seystm.exe"
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\seystm.exe
      "C:\Users\Admin\AppData\Local\Temp\seystm.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\seystm.exe

Filesize
2.1MB

MD5
a03075fa3ec7497779426e1b5f1dc83b

SHA1
457e9fa5419507df118105ccb9f86d0eefd1f59d

SHA256
2db0e815eb0fd8622232b9ab91114ee666c85a2df0c1bf7182f6d7137a7154e1

SHA512
fb4190eef4e3e99f6437fe7265309964d58d518ff550e4435d83411dccf30e01ad33a77e8ffcb62cf4b446073c45860e0b2206c066b29bf73d6ca20da124406b

Download Submit
memory/1168-32-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1168-35-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1244-15-0x0000000000401000-0x000000000043E000-memory.dmp

Filesize
244KB

Download
memory/1244-12-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/1244-18-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/1244-13-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1244-31-0x0000000000401000-0x000000000043E000-memory.dmp

Filesize
244KB

Download
memory/1244-28-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/1244-27-0x0000000004C00000-0x0000000004E1B000-memory.dmp

Filesize
2.1MB

Download
memory/1244-14-0x0000000001FE0000-0x000000000215C000-memory.dmp

Filesize
1.5MB

Download
memory/1244-23-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/1500-10-0x00000000036C0000-0x00000000038DB000-memory.dmp

Filesize
2.1MB

Download
memory/1500-9-0x00000000036C0000-0x00000000038DB000-memory.dmp

Filesize
2.1MB

Download
memory/2736-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2736-21-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2736-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2736-44-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/2736-45-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads