Overview

overview

7

Static

static

7

f638451ae2...18.exe

windows7-x64

7

f638451ae2...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 14:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f638451ae289cc1f0aa0752513cd29bc_JaffaCakes118.exe

  • Size

    1.7MB

  • MD5

    f638451ae289cc1f0aa0752513cd29bc

  • SHA1

    6d6bdca66bbb84e44e9988f9816bf0a68c7c4f52

  • SHA256

    48141214ec470e8c6a4a621585887d828fb77b7e703a236e555959bfbe67c062

  • SHA512

    273005ea0e7a37e476189dad15c799614a0f6cc61df5b5bf5768249a3c20854f330cb3dd580d8a0168850f94baa008f9097a029857692ff5e107635055bc38f7

  • SSDEEP

    49152:Xc2GXY9NoNdIkzA+VufOrVaWTfXQeSxZN8:XUXANoEkzA+VumrVaWmR8

Score
7/10
discoveryevasionthemida

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 5 IoCs
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f638451ae289cc1f0aa0752513cd29bc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f638451ae289cc1f0aa0752513cd29bc_JaffaCakes118.exe"
    1⤵
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Users\Admin\AppData\Local\Temp\Decrypted.exe
      "C:\Users\Admin\AppData\Local\Temp\Decrypted.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 36
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\Decrypted.exe
    Filesize

    9KB

    MD5

    9a050ed295d5132c34fdbb0194510b6c

    SHA1

    c98f278f49cafdeba6eba630f44b9f79779ebd0e

    SHA256

    489a832955b604e42ddff813fc0d7c0b1e3ad51ba6b5284bd70a01ee53777e7c

    SHA512

    d168a3b7e84dfb30ea9130ab1e36f6ad766925e322cbdaae891e6816978857c13c2e2743100c211313f3efceb78c1ee48c120f3127e877e9f31719bff4b9c373

    Download Submit

  • memory/2704-0-0x0000000000400000-0x00000000005B4000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2704-1-0x0000000000401000-0x0000000000402000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2704-15-0x0000000000400000-0x00000000005B4000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2928-19-0x0000000000400000-0x0000000000402400-memory.dmp

    Filesize

    9KB

    Download