Overview

overview

7

Static

static

7

ff2ebe1c74...18.exe

windows7-x64

7

ff2ebe1c74...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29-09-2024 19:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff2ebe1c74ba71d9a1c7d3b82e980e23_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    ff2ebe1c74ba71d9a1c7d3b82e980e23

  • SHA1

    c4cfd3a9bd3ae74cae453f5d31f7b4f314266ba8

  • SHA256

    87cd63349614b470ace232f4b828fb7e4725f2d630be7a4e8bc63045b9e05e3b

  • SHA512

    0360ed16c14efa625e6cd400a4d16b4695055d1b5b8d9ac4e3bd2413ce6cb9c1adb668e65a2458f318ff24ba067db1a944bd30ef534e7d3ca93776cad39313f8

  • SSDEEP

    49152:cnbmpDwI65KadOC0mf9YOt/srthQn/yZ:cnbmpDwX59d50mfCY/so/c

Score
7/10
discoveryevasionthemida

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Themida packer 28 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff2ebe1c74ba71d9a1c7d3b82e980e23_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ff2ebe1c74ba71d9a1c7d3b82e980e23_JaffaCakes118.exe"
    1⤵
    • Identifies Wine through registry keys
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\uninstal.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1900
  • \??\c:\windows\Phcoreh.exe
    c:\windows\Phcoreh.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      2⤵
        PID:2600

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Phcoreh.exe
      Filesize

      2.0MB

      MD5

      ff2ebe1c74ba71d9a1c7d3b82e980e23

      SHA1

      c4cfd3a9bd3ae74cae453f5d31f7b4f314266ba8

      SHA256

      87cd63349614b470ace232f4b828fb7e4725f2d630be7a4e8bc63045b9e05e3b

      SHA512

      0360ed16c14efa625e6cd400a4d16b4695055d1b5b8d9ac4e3bd2413ce6cb9c1adb668e65a2458f318ff24ba067db1a944bd30ef534e7d3ca93776cad39313f8

      Download Submit

    • C:\Windows\uninstal.bat
      Filesize

      218B

      MD5

      9a9e3fc2dbd3df0524da2ca6f33cabc5

      SHA1

      55d79a470776df6f165e6de382db4eddf654e8b4

      SHA256

      d7a5b99834ffb11d2a5e5c404a90348ba3a0a7979ae6476198f6aafdb3f87a25

      SHA512

      6eaa26a00958b3f76c3b97819f767970d2b61c45c3c3547f6f4d259e69257fdea7488ab835bdee11608f77a38a9e1e3e978bd00ebd27ccfb5d54f17a76f127ef

      Download Submit

    • memory/808-2-0x0000000000260000-0x0000000000261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/808-1-0x0000000000610000-0x00000000006FB000-memory.dmp

      Filesize

      940KB

      Download

    • memory/808-3-0x0000000000401000-0x00000000004B9000-memory.dmp

      Filesize

      736KB

      Download

    • memory/808-6-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/808-7-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/808-0-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/808-25-0x0000000000401000-0x00000000004B9000-memory.dmp

      Filesize

      736KB

      Download

    • memory/808-24-0x0000000000260000-0x0000000000261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/808-23-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-27-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-33-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-13-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-10-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-11-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-9-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-28-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-29-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-30-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-31-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-32-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-14-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-34-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-35-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-36-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-37-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-38-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-39-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-40-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-41-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-42-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-43-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2940-44-0x0000000000400000-0x000000000060D000-memory.dmp

      Filesize

      2.1MB

      Download