5ddad1c03cbd716d44830805ffbfa3aca83da084fc460f45ea20a423bff98eeb

Analysis

max time kernel
35s
max time network
40s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe
Size

2.6MB
MD5

bb97b655afb9c77baa8111600e8772bc
SHA1

dfddd7fabc685345aa9103c7f40ec87bbaae6078
SHA256

5ddad1c03cbd716d44830805ffbfa3aca83da084fc460f45ea20a423bff98eeb
SHA512

1dd117e3432379e5041cd16e2d0d641645562e6a4b89b1ebe63d8ae12055186c7d9821dcb2b24dcf59b7b228c3eaab3d0572c335d9dcf1bdbfba2b2a30fdb468
SSDEEP

49152:UK1+uOc++oJuVSB+UHjXm5Wp8ziCMpqCLFSMMDllT3s0xo/GZDumO3THrMxQw55:UKbOc++EuVSB+qXqt1MpqoFSz7FDfEXm

Score

9^/10

discovery themida

Malware Config

Signatures

Detected Nirsoft tools 7 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2788-11-0x0000000000400000-0x000000000059D000-memory.dmp	Nirsoft
behavioral1/memory/2788-7-0x0000000000400000-0x000000000059D000-memory.dmp	Nirsoft
behavioral1/files/0x00300000000186b7-50.dat	Nirsoft
behavioral1/files/0x00310000000186b7-59.dat	Nirsoft
behavioral1/memory/2100-66-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral1/files/0x00320000000186b7-69.dat	Nirsoft
behavioral1/files/0x00330000000186b7-80.dat	Nirsoft

Executes dropped EXE 6 IoCs

pid	Process
2832	Temp1337SteamLogin.exe
2288	steam.exe
2704	Tempinet.exe
2100	Tempmsg.exe
2080	Temppdk.exe
3012	Temphttp.exe

Loads dropped DLL 12 IoCs

pid	Process
2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe
2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe
2652	cmd.exe
2652	cmd.exe
2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe
2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe
2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe
2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe
2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe
2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe
2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe
2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2556-2-0x0000000010000000-0x00000000102B9000-memory.dmp	themida
behavioral1/memory/2556-8-0x0000000010000000-0x00000000102B9000-memory.dmp	themida
behavioral1/memory/2788-12-0x0000000010000000-0x00000000102B9000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2556 set thread context of 2788	2556	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp1337SteamLogin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tempmsg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temphttp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tempinet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temppdk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	Tempmsg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe
2832	Temp1337SteamLogin.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2788	2556	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	29
PID 2556 wrote to memory of 2788	2556	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	29
PID 2556 wrote to memory of 2788	2556	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	29
PID 2556 wrote to memory of 2788	2556	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	29
PID 2556 wrote to memory of 2788	2556	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	29
PID 2556 wrote to memory of 2788	2556	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	29
PID 2788 wrote to memory of 2832	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2832	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2832	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2832	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	30
PID 2832 wrote to memory of 2652	2832	Temp1337SteamLogin.exe	31
PID 2832 wrote to memory of 2652	2832	Temp1337SteamLogin.exe	31
PID 2832 wrote to memory of 2652	2832	Temp1337SteamLogin.exe	31
PID 2832 wrote to memory of 2652	2832	Temp1337SteamLogin.exe	31
PID 2652 wrote to memory of 2288	2652	cmd.exe	33
PID 2652 wrote to memory of 2288	2652	cmd.exe	33
PID 2652 wrote to memory of 2288	2652	cmd.exe	33
PID 2652 wrote to memory of 2288	2652	cmd.exe	33
PID 2788 wrote to memory of 2704	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	34
PID 2788 wrote to memory of 2704	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	34
PID 2788 wrote to memory of 2704	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	34
PID 2788 wrote to memory of 2704	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	34
PID 2788 wrote to memory of 2100	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	35
PID 2788 wrote to memory of 2100	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	35
PID 2788 wrote to memory of 2100	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	35
PID 2788 wrote to memory of 2100	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	35
PID 2788 wrote to memory of 2080	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	36
PID 2788 wrote to memory of 2080	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	36
PID 2788 wrote to memory of 2080	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	36
PID 2788 wrote to memory of 2080	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	36
PID 2788 wrote to memory of 3012	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	37
PID 2788 wrote to memory of 3012	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	37
PID 2788 wrote to memory of 3012	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	37
PID 2788 wrote to memory of 3012	2788	bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe	37

C:\Users\Admin\AppData\Local\Temp\bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\bb97b655afb9c77baa8111600e8772bc_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp1337SteamLogin.exe
    C:\Users\Admin\AppData\Local\Temp1337SteamLogin.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\steam.exetemp.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        steam.exe /start
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2288
- - C:\Users\Admin\AppData\Local\Tempinet.exe
    C:\Users\Admin\AppData\Local\Tempinet.exe /stext C:\Users\Admin\AppData\Local\Tempinet.exeinet.txt
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2704
- - C:\Users\Admin\AppData\Local\Tempmsg.exe
    C:\Users\Admin\AppData\Local\Tempmsg.exe /stext C:\Users\Admin\AppData\Local\Tempmsg.exemsg.txt
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Users\Admin\AppData\Local\Temppdk.exe
    C:\Users\Admin\AppData\Local\Temppdk.exe /stext C:\Users\Admin\AppData\Local\Temppdk.exepdk.txt
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2080
- - C:\Users\Admin\AppData\Local\Temphttp.exe
    C:\Users\Admin\AppData\Local\Temphttp.exe /stext C:\Users\Admin\AppData\Local\Temphttp.exehttp.txt
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1337SteamLogin.txt

Filesize
190B

MD5
0eb4f404478ad48d87547ffdb6192e15

SHA1
005592484a5cf578d1ea9a1b91fd6e58662ff6ca

SHA256
a8300b4370ae7dfa14cb3d8849bf867650314097f13c3ba24977ee53dae04748

SHA512
681274615ac25f979bda6440bc6e19287fc39784263132b0a7325ad3afdbcbbf4cc8f4d7e1bd49eb55bcf6b1749f0c9d4fc630a77c5e44eed06095ec75f92880

Download Submit
C:\Users\Admin\AppData\Local\Temp\steam.exetemp.bat

Filesize
37B

MD5
1e720334b28a9832479b0abae179ffb4

SHA1
39f72cdb206bf6f4a93d85f47203b04684ac102a

SHA256
0029c2b09b8476980969af1fe4651dcb1bd110f99d58405fa9c2fec45fd6724f

SHA512
441fb356b2c84be4025e0d4da92484bfd4d675dcc89d14c0e40e4af7eee1e9cc8f2b859f85f1990036e3c8b6b933cea019ce2d6ca400d2fc2fd19ecd735d5c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\steam.exetemp.txt

Filesize
215B

MD5
99e2595d7bd09e6caa113d3b62d8950e

SHA1
8000f91b4f44baf9e1da20cc4638743395843b0d

SHA256
73106d332e54f65a58735e5d8f592a6efffb07b1cacc55fdd2ad56e9f3026a88

SHA512
c910b38e08d24242e805073eee44793e332bb46092ef532c7c97a9d805f5a4f3645b6cf494787efa72647465f820d3e4f8034a8c51093d8182c5abba22c4bb29

Download Submit
C:\Users\Admin\AppData\Local\Temppdk.exepdk.txt

Filesize
264B

MD5
3c41038222682bd79d1d9a4ba32247fc

SHA1
2f47602029c5b0a5f7572b1ac0ef04c63e6e3ee3

SHA256
ae7719e3324b91c18611579e871d0a9335f2e6810deae3e3894e2b3d7e6c4dd0

SHA512
08f4c7c673edab20b71ed3e3d86aae4486cff2a60faac53716c62ad34d23987ca13e73bd22e8b44ecaf8fa4a998823ee7dfce60cbb78b181b448a3b08df772aa

Download Submit
\Users\Admin\AppData\Local\Temp1337SteamLogin.exe

Filesize
1.1MB

MD5
8ea32ad35336326d5e3fa162dbd619e5

SHA1
884c5a50d419fb659a369617b9a2eac2b31c5a6a

SHA256
5749f1b5b7ad2dc998e42afbe45adb56623e1270e7c6c0df0574341037668435

SHA512
adc45895583ee92126d4ae51ae4c8a5702ea90af795fe8cb5867a9b0391cd3d130a3bb7913ad88890f2e1896fc0a92c9a8a81e5ab6659f1530d0ce60203d0874

Download Submit
\Users\Admin\AppData\Local\Temp\steam.exe

Filesize
1.1MB

MD5
02cbfc9bf736a22aee289806dbeb3aaf

SHA1
3a265b10891b984fccb6e25bc45f7c49410f5158

SHA256
dee082af109e5d561c1ddc9b354acdfd750d0e2766cc930c23a572c6619ce9c6

SHA512
606a58ed6a3bbb45b5291bcc447ba99df797215e092fc5eada658d835db1cb21d59de4ebab1adfb18e52952cd99b6c342db497e846b32f57d3c578eea6b51552

Download Submit
\Users\Admin\AppData\Local\Temphttp.exe

Filesize
51KB

MD5
a3e8811b3a555fba15f0879122018568

SHA1
cf9778643eeb5ee8dfc66febc2239c1de2517aea

SHA256
991952757731e6e85c678e7491b02f3595466f54ce687707915b350f509c95ae

SHA512
95412e7e5dd683a8ef255a763fba10209951d25136feb5b217049261cfe9c5fdd4128b6fc25d6efd274cfdacdead58a460bc67c01090dd7bfc7a154dcad71116

Download Submit
\Users\Admin\AppData\Local\Tempinet.exe

Filesize
73KB

MD5
dc577ca5914909ce10353127de0cea28

SHA1
758a8bc5a75b4fba9a7b49072d40a81deabc65df

SHA256
f917b34c5476c673ef1229ed2eb97b8e9c791e36c602d90419405a419b30e20b

SHA512
02cc376b2a3e7ab2dd76473be53bc6bbd133e946af054413343d2bced82e0322130d63d954e11d01d3044bd0a339d3094dcf751b4fb50c102c774a87e8b2ac33

Download Submit
\Users\Admin\AppData\Local\Tempmsg.exe

Filesize
106KB

MD5
7434026f404c4e3490a70856151acc54

SHA1
e66d34f3cf34528bd506bc827d81e36c171df3d1

SHA256
95f240153c50d6012c560357bf81bf0d1064be3cadad19de0aeb4b2303f000c6

SHA512
2a30cf31845cd62ccaac081a1ecdfef01312800c3704f1a9361eb7b8d59e34a298e7e76719832d4076081585e702e1a7400a5ebb4a72f03f4849fb67ad46affa

Download Submit
\Users\Admin\AppData\Local\Temppdk.exe

Filesize
55KB

MD5
a161dbdb808ae68e0b770510fd89111c

SHA1
9e9f08585543442e72d64a1b31cf219b90613663

SHA256
461ab1391be5a96e1c5ce2d25e30ab332e8e46134e6ca97c2cce2a35066e1d5a

SHA512
1a4155cf5dc5c33cdba1a14a4a5d7d7eb8b4c723ae4487d9e8f7e49417416832606afca0545b689695427051b6dc6bdeeb230d38c2be3f8aa418cd8f24f39821

Download Submit
memory/2100-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2288-42-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/2288-40-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/2556-10-0x0000000010001000-0x000000001000B000-memory.dmp

Filesize
40KB

Download
memory/2556-0-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2556-2-0x0000000010000000-0x00000000102B9000-memory.dmp

Filesize
2.7MB

Download
memory/2556-3-0x0000000010001000-0x000000001000B000-memory.dmp

Filesize
40KB

Download
memory/2556-1-0x0000000001CF0000-0x0000000001DD5000-memory.dmp

Filesize
916KB

Download
memory/2556-8-0x0000000010000000-0x00000000102B9000-memory.dmp

Filesize
2.7MB

Download
memory/2652-43-0x0000000002060000-0x00000000023EE000-memory.dmp

Filesize
3.6MB

Download
memory/2652-39-0x0000000002060000-0x00000000023EE000-memory.dmp

Filesize
3.6MB

Download
memory/2788-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2788-7-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/2788-12-0x0000000010000000-0x00000000102B9000-memory.dmp

Filesize
2.7MB

Download
memory/2788-11-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/2788-4-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download