Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2024, 10:30

General

  • Target

    e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe

  • Size

    88KB

  • MD5

    e254e285f1729936cf9e30e1c098271c

  • SHA1

    653cf3782b7b9129a98c6fbad8cf885fe0bde227

  • SHA256

    79fe90ff4ac1f24d4f0305d1f31adcb2cb276d1b6a6260e547a8e7ec81c104e5

  • SHA512

    1f3c5de3148a3b6b9dbc9fa49fd2591670bc08a18563c59c1cf8361eef65bd5293267d6bd58a6b1b52819f1938af52c74a103eeaa1055117729dae9ad25fcc03

  • SSDEEP

    1536:scNjQlsWjcdiTuXbELbGn82i+beo/47Og:vjr5ELbGnzi+ao/Cf

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:724
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

    Filesize

    404KB

    MD5

    3dc15cafe67496a5bf7b9d1b3340b051

    SHA1

    242753618529d89037ea6bd7fbd96f6eb37b1e13

    SHA256

    69f6f44f5ff2377d2be5814c0d19e0885b051f06b24ee48c60c5534096f96926

    SHA512

    757f64b151ade44eda5a41de190707411b2109a088397a5874e8564b3eab01d9037805798e5baf3e99922d2212f9bc7302c2c5832a1a5a9cfe42dcc84e3141ba

  • C:\Users\Admin\AppData\Local\Temp\sjvIHBWPk5Entd5.exe

    Filesize

    88KB

    MD5

    2fea75cc31557ee2e4f21dc654e4af18

    SHA1

    be36241c2b56eaefb3b3ee45ebf2d5821038d95c

    SHA256

    e08b0b8937b45ce050f78174b01d550a65701d1c94126b672b5ab0b660014094

    SHA512

    73a5cebdeba8a58949994228d08709d1277059f8ca3cc1a7b2cd6b9cb4fcaf50b240a5b7ad8c4ad33ce54ab8916c948f60aee81a4b1bd074d40e880e948d9689

  • C:\Windows\CTS.exe

    Filesize

    82KB

    MD5

    796f4df6e89c638054b20b09ba1f28e5

    SHA1

    80e5f4e74a798f180f27f9b3dccb3c7461511d7d

    SHA256

    3293c5e8c2a49b5c7e2ba41c33e49d894137e25b672f19df5100bb9042bda402

    SHA512

    687860ab619a797cf2d459b0b3324bfca2f5c2b5eb92b2114b423326e1d56e872022000b4402687382c66c3ccf7d061a7f4fd0cf9cafcd5417fb6e096d7e1887

  • memory/724-0-0x0000000000B00000-0x0000000000B19000-memory.dmp

    Filesize

    100KB

  • memory/724-7-0x0000000000B00000-0x0000000000B19000-memory.dmp

    Filesize

    100KB

  • memory/2628-9-0x0000000000550000-0x0000000000569000-memory.dmp

    Filesize

    100KB