4d7a34c27425da94ccc81adfde152beddfe571030daa75897d0f8a1acfad3bb2

Analysis

max time kernel
148s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
Size

960KB
MD5

b7fc364508eb2f1ebb6cad6048e00045
SHA1

a55db211bdbe036b3dba5fcb206a4fe5248213b0
SHA256

4d7a34c27425da94ccc81adfde152beddfe571030daa75897d0f8a1acfad3bb2
SHA512

18732ab39e05cacc6db157141efe9ce9f4c32336ad032b3600571846e0c6447a7521fd430f4ede257d80c6f53153436ee7475f27195ffd9be2ae775422070750
SSDEEP

12288:8r9Wqow943/Z0iB8Z3XPFf9JEYBGt5RpdUGMV:8xjP43/unPl9eYB82GM

Score

7^/10

discovery evasion

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2220	View.exe
2352	View.exe
2816	View.exe
1896	View.exe
2808	View.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine	View.exe
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine	View.exe
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine	View.exe
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine	View.exe
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine	View.exe

Loads dropped DLL 10 IoCs

pid	Process
2548	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
2548	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
2220	View.exe
2220	View.exe
2352	View.exe
2352	View.exe
2816	View.exe
2816	View.exe
1896	View.exe
1896	View.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\View.exe	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\View.exe	View.exe
File created	C:\Windows\SysWOW64\View.exe	View.exe
File created	C:\Windows\SysWOW64\View.exe	View.exe
File created	C:\Windows\SysWOW64\View.exe	View.exe
File created	C:\Windows\SysWOW64\View.exe	View.exe
File created	C:\Windows\SysWOW64\View.exe	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	View.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2548	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
2548	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
2548	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
2548	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
2548	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
2548	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
2548	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
2548	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
2548	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
2548	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
2548	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
2548	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
2220	View.exe
2220	View.exe
2220	View.exe
2220	View.exe
2220	View.exe
2220	View.exe
2220	View.exe
2220	View.exe
2220	View.exe
2220	View.exe
2220	View.exe
2220	View.exe
2352	View.exe
2352	View.exe
2352	View.exe
2352	View.exe
2352	View.exe
2352	View.exe
2352	View.exe
2352	View.exe
2352	View.exe
2352	View.exe
2352	View.exe
2352	View.exe
2816	View.exe
2816	View.exe
2816	View.exe
2816	View.exe
2816	View.exe
2816	View.exe
2816	View.exe
2816	View.exe
2816	View.exe
2816	View.exe
2816	View.exe
2816	View.exe
1896	View.exe
1896	View.exe
1896	View.exe
1896	View.exe
1896	View.exe
1896	View.exe
1896	View.exe
1896	View.exe
1896	View.exe
1896	View.exe
1896	View.exe
1896	View.exe
2808	View.exe
2808	View.exe
2808	View.exe
2808	View.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2220	2548	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2220	2548	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2220	2548	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2220	2548	b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2352	2220	View.exe	32
PID 2220 wrote to memory of 2352	2220	View.exe	32
PID 2220 wrote to memory of 2352	2220	View.exe	32
PID 2220 wrote to memory of 2352	2220	View.exe	32
PID 2352 wrote to memory of 2816	2352	View.exe	33
PID 2352 wrote to memory of 2816	2352	View.exe	33
PID 2352 wrote to memory of 2816	2352	View.exe	33
PID 2352 wrote to memory of 2816	2352	View.exe	33
PID 2816 wrote to memory of 1896	2816	View.exe	34
PID 2816 wrote to memory of 1896	2816	View.exe	34
PID 2816 wrote to memory of 1896	2816	View.exe	34
PID 2816 wrote to memory of 1896	2816	View.exe	34
PID 1896 wrote to memory of 2808	1896	View.exe	35
PID 1896 wrote to memory of 2808	1896	View.exe	35
PID 1896 wrote to memory of 2808	1896	View.exe	35
PID 1896 wrote to memory of 2808	1896	View.exe	35

C:\Users\Admin\AppData\Local\Temp\b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\View.exe
  C:\Windows\system32\View.exe -bai C:\Users\Admin\AppData\Local\Temp\b7fc364508eb2f1ebb6cad6048e00045_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\View.exe
    C:\Windows\system32\View.exe -bai C:\Windows\SysWOW64\View.exe
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\View.exe
      C:\Windows\system32\View.exe -bai C:\Windows\SysWOW64\View.exe
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\SysWOW64\View.exe
        
        C:\Windows\system32\View.exe -bai C:\Windows\SysWOW64\View.exe
        5⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1896
      - C:\Windows\SysWOW64\View.exe
        
        C:\Windows\system32\View.exe -bai C:\Windows\SysWOW64\View.exe
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\View.exe

Filesize
960KB

MD5
b7fc364508eb2f1ebb6cad6048e00045

SHA1
a55db211bdbe036b3dba5fcb206a4fe5248213b0

SHA256
4d7a34c27425da94ccc81adfde152beddfe571030daa75897d0f8a1acfad3bb2

SHA512
18732ab39e05cacc6db157141efe9ce9f4c32336ad032b3600571846e0c6447a7521fd430f4ede257d80c6f53153436ee7475f27195ffd9be2ae775422070750

Download Submit
memory/1896-68-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/1896-65-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/1896-67-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/1896-66-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/1896-72-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2220-21-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2220-19-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2220-18-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2220-17-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2220-22-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2220-23-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2220-24-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2220-25-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2220-26-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2220-27-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2220-31-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2352-42-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2352-48-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2352-35-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2352-36-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2352-37-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2352-38-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2352-39-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2352-41-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2352-40-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2352-33-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2352-43-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2352-34-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2548-14-0x0000000004350000-0x000000000453F000-memory.dmp

Filesize
1.9MB

Download
memory/2548-13-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2548-6-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2548-15-0x0000000004350000-0x000000000453F000-memory.dmp

Filesize
1.9MB

Download
memory/2548-0-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2548-1-0x0000000000401000-0x0000000000418000-memory.dmp

Filesize
92KB

Download
memory/2548-2-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2548-3-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2808-77-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2808-75-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2808-76-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2808-74-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2816-51-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2816-59-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2816-63-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2816-58-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2816-57-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2816-56-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2816-55-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2816-54-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2816-53-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2816-52-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2816-50-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/2816-49-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download