Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
27-09-2024 14:39
General
-
Target
fa9638a6a334baced7199d6043dc3f89_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
fa9638a6a334baced7199d6043dc3f89
-
SHA1
5db1143a471eecc424ef0c1ecbaf137fd9285062
-
SHA256
86686a2cd135ff852eb7ce1644a4ccbd541bb0e43ed328f4adf71db4121eb06d
-
SHA512
d069016c0791d5f5825098446d49067a86015aece6a735c2c449fb820a7fd6daa2a2640c23a05badb64b50da23a2e0c99b6524e868d8cc3b59d0d82aef7c425a
-
SSDEEP
49152:fxWcDC7gLD69dtxCj7pejqJDj2QgLD05kLnc/xyrYIhhUm:f7DC7gLwTCjVRJ/sECEx2Mm
Malware Config
Signatures
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Themida packer 13 IoCs
Detects Themida, an advanced Windows software protection system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa9638a6a334baced7199d6043dc3f89_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa9638a6a334baced7199d6043dc3f89_JaffaCakes118.exe"1⤵
- Identifies Wine through registry keys
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
C:\Program Files\msn\msn.cc"C:\Program Files\msn\msn.cc"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\EXPLORER.EXEEXPLORER.EXE2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5fa9638a6a334baced7199d6043dc3f89
SHA15db1143a471eecc424ef0c1ecbaf137fd9285062
SHA25686686a2cd135ff852eb7ce1644a4ccbd541bb0e43ed328f4adf71db4121eb06d
SHA512d069016c0791d5f5825098446d49067a86015aece6a735c2c449fb820a7fd6daa2a2640c23a05badb64b50da23a2e0c99b6524e868d8cc3b59d0d82aef7c425a
-
Filesize
218B
MD5ff2a2f43227096121bae91fb7d0d7478
SHA1a912ab855b1e740f2aa6e00dc3a75f7b2fc15269
SHA256289390e151ce15ca1a07db2e5e3f482d39c4cbb236e8896be031ee3f9a3d402d
SHA512f012b83afca3e53de86cb5f2c69e815b2763885e9baae3e444f6366db3b53a812e3bee9a309b5c842eaaebb61a59b7ea436f28231fd57a95c9390a6106bc87cd
-
Filesize
4KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
736KB
-
Filesize
1012KB
-
Filesize
2.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.1MB
-
Filesize
736KB
-
Filesize
2.1MB
-
Filesize
736KB
-
Filesize
2.1MB