Overview

overview

7

Static

static

7

d33650d7fc...18.exe

windows7-x64

7

d33650d7fc...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/09/2024, 01:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d33650d7fc2fa8eb571b4bd0e8c7e7d0_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    d33650d7fc2fa8eb571b4bd0e8c7e7d0

  • SHA1

    70fa2e3ad1b02d6e838637e5bcacedbe32a82375

  • SHA256

    4c9474b107aba88632e46fd79d37a561927c5a01c2583b0245db57bc72038261

  • SHA512

    16cbbe90bf84678a1b7c5301f6a869a81935bc5494523311850b0fa12da40d5df6aeee8d9af4f5d21911c20a29ef1e1f425e4a496f7f47c51b2beb10e2cbdd48

  • SSDEEP

    24576:4gc6H6J6gBPaOFfVGcLXzjlLBgp803owAcOiKpy7yzRBPc6dPCH4dG:4RYbeFf0cDlVgFQiKpy2zRB0BYdG

Score
7/10
discoveryevasionthemida

Malware Config

Signatures

  • Executes dropped EXE 10 IoCs
  • Identifies Wine through registry keys 2 TTPs 11 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 20 IoCs
  • Themida packer 54 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Drops file in System32 directory 22 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d33650d7fc2fa8eb571b4bd0e8c7e7d0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d33650d7fc2fa8eb571b4bd0e8c7e7d0_JaffaCakes118.exe"
    1⤵
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\SysWOW64\speedwin.exe
      C:\Windows\system32\speedwin.exe 628 "C:\Users\Admin\AppData\Local\Temp\d33650d7fc2fa8eb571b4bd0e8c7e7d0_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\SysWOW64\speedwin.exe
        C:\Windows\system32\speedwin.exe 708 "C:\Windows\SysWOW64\speedwin.exe"
        3⤵
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Windows\SysWOW64\speedwin.exe
          C:\Windows\system32\speedwin.exe 712 "C:\Windows\SysWOW64\speedwin.exe"
          4⤵
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1900
          • C:\Windows\SysWOW64\speedwin.exe
            C:\Windows\system32\speedwin.exe 724 "C:\Windows\SysWOW64\speedwin.exe"
            5⤵
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2176
            • C:\Windows\SysWOW64\speedwin.exe
              C:\Windows\system32\speedwin.exe 720 "C:\Windows\SysWOW64\speedwin.exe"
              6⤵
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:904
              • C:\Windows\SysWOW64\speedwin.exe
                C:\Windows\system32\speedwin.exe 740 "C:\Windows\SysWOW64\speedwin.exe"
                7⤵
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2628
                • C:\Windows\SysWOW64\speedwin.exe
                  C:\Windows\system32\speedwin.exe 732 "C:\Windows\SysWOW64\speedwin.exe"
                  8⤵
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:2804
                  • C:\Windows\SysWOW64\speedwin.exe
                    C:\Windows\system32\speedwin.exe 728 "C:\Windows\SysWOW64\speedwin.exe"
                    9⤵
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:2228
                    • C:\Windows\SysWOW64\speedwin.exe
                      C:\Windows\system32\speedwin.exe 744 "C:\Windows\SysWOW64\speedwin.exe"
                      10⤵
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:1076
                      • C:\Windows\SysWOW64\speedwin.exe
                        C:\Windows\system32\speedwin.exe 716 "C:\Windows\SysWOW64\speedwin.exe"
                        11⤵
                        • Executes dropped EXE
                        • Identifies Wine through registry keys
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\speedwin.exe
    Filesize

    1.4MB

    MD5

    d33650d7fc2fa8eb571b4bd0e8c7e7d0

    SHA1

    70fa2e3ad1b02d6e838637e5bcacedbe32a82375

    SHA256

    4c9474b107aba88632e46fd79d37a561927c5a01c2583b0245db57bc72038261

    SHA512

    16cbbe90bf84678a1b7c5301f6a869a81935bc5494523311850b0fa12da40d5df6aeee8d9af4f5d21911c20a29ef1e1f425e4a496f7f47c51b2beb10e2cbdd48

    Download Submit

  • memory/904-68-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/904-67-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/904-73-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/1076-102-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/1076-94-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/1076-96-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/1076-97-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/1900-49-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/1900-60-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/1900-52-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/1900-53-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/1900-56-0x0000000004CE0000-0x0000000005018000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2176-62-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2176-66-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2176-61-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2176-58-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2228-89-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2228-87-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2228-90-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2228-95-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2356-103-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2628-79-0x0000000004A90000-0x0000000004DC8000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2628-74-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2628-75-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2628-72-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2628-81-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2656-17-0x0000000004C40000-0x0000000004F78000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2656-16-0x0000000004C40000-0x0000000004F78000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2656-0-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2656-8-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2656-4-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2656-3-0x0000000000401000-0x000000000041C000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2656-1-0x0000000000740000-0x0000000000840000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2656-2-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2728-44-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2728-39-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2728-50-0x0000000004AA0000-0x0000000004DD8000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2728-43-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2728-42-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2728-40-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2728-41-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2728-48-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2728-36-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2728-38-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2728-35-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2804-88-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2804-80-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2804-82-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2804-83-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2824-32-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2824-33-0x0000000004BA0000-0x0000000004ED8000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2824-28-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2824-37-0x0000000004BA0000-0x0000000004ED8000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2824-27-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2824-26-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2824-25-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2824-23-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2824-24-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2824-21-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2824-18-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2824-19-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

    Download