dc8638e20db945a7b88d9c618ee2a7053ba95f2c5f40259cb2c299c4564529e7

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b5ca0a2cfed0da837df1277a63d758f_JaffaCakes118.dll
Size

1.4MB
MD5

1b5ca0a2cfed0da837df1277a63d758f
SHA1

981db769c134265112dda0cf442d00abf2269f8b
SHA256

dc8638e20db945a7b88d9c618ee2a7053ba95f2c5f40259cb2c299c4564529e7
SHA512

b501983f7574ef85ee3be8b16fb60b1ded40267bbb511e7cd2c557057f7789ce46a460462149949f907239d97c033073354f063e67b4d54cb9a5dfadbb45484b
SSDEEP

24576:BD44VC2/ajaqI7Y/icfB+dfw4oSAmEi9lgOpoqNK4pe60xlMKx1rrmsnS0uLxSU0:Z44/kax0BfOllXLlgoK4ped3dx1vmsn9

Score

7^/10

evasion themida

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine	rundll32.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2964-0-0x0000000010000000-0x00000000102F9000-memory.dmp	themida
behavioral1/memory/2964-1-0x0000000010000000-0x00000000102F9000-memory.dmp	themida
behavioral1/memory/2964-10-0x0000000010000000-0x00000000102F9000-memory.dmp	themida
behavioral1/memory/2964-2-0x0000000010000000-0x00000000102F9000-memory.dmp	themida

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3004 2964 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

2964 rundll32.exe

pid	pid_target	process	target process
3004	2964	WerFault.exe	rundll32.exe

pid	process
2964	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1888 wrote to memory of 2964	1888	rundll32.exe	rundll32.exe
PID 1888 wrote to memory of 2964	1888	rundll32.exe	rundll32.exe
PID 1888 wrote to memory of 2964	1888	rundll32.exe	rundll32.exe
PID 1888 wrote to memory of 2964	1888	rundll32.exe	rundll32.exe
PID 1888 wrote to memory of 2964	1888	rundll32.exe	rundll32.exe
PID 1888 wrote to memory of 2964	1888	rundll32.exe	rundll32.exe
PID 1888 wrote to memory of 2964	1888	rundll32.exe	rundll32.exe
PID 2964 wrote to memory of 3004	2964	rundll32.exe	WerFault.exe
PID 2964 wrote to memory of 3004	2964	rundll32.exe	WerFault.exe
PID 2964 wrote to memory of 3004	2964	rundll32.exe	WerFault.exe
PID 2964 wrote to memory of 3004	2964	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1b5ca0a2cfed0da837df1277a63d758f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1b5ca0a2cfed0da837df1277a63d758f_JaffaCakes118.dll,#1
2⤵
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 432
3⤵
- Program crash
PID:3004

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2964-0-0x0000000010000000-0x00000000102F9000-memory.dmp

Filesize
3.0MB

Download
memory/2964-1-0x0000000010000000-0x00000000102F9000-memory.dmp

Filesize
3.0MB

Download
memory/2964-4-0x0000000000320000-0x0000000000413000-memory.dmp

Filesize
972KB

Download
memory/2964-3-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2964-10-0x0000000010000000-0x00000000102F9000-memory.dmp

Filesize
3.0MB

Download
memory/2964-9-0x0000000010001000-0x0000000010025000-memory.dmp

Filesize
144KB

Download
memory/2964-8-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/2964-7-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/2964-6-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2964-5-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2964-2-0x0000000010000000-0x00000000102F9000-memory.dmp

Filesize
3.0MB

Download
memory/2964-11-0x0000000000950000-0x000000000095E000-memory.dmp

Filesize
56KB

Download