Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/04/2024, 23:16

General

  • Target

    e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe

  • Size

    13KB

  • MD5

    e61692f8875d714c029cbdceed785b79

  • SHA1

    4676b54b2a84155d542f51ca56afe7d6d5316b25

  • SHA256

    144aa7e6d9b2b100178cec70b9b335b7c1cc5d7407782955b8d643d20b458826

  • SHA512

    a1df31a5f0ce7793b5625716ef1dd1101f647a0c2b35154142c4910a433c41cc019cfdfe462a90ae2f01ba58ef091e6ff845d3c12a9c8f3da4f9246eb28b00b7

  • SSDEEP

    192:4TA0M7TKm1Nj4BW6Z/VpBRpUzT+xja6WTc6iWPVpvCH4kaZPMAKHeSQFP99qI9Q8:4YTKqEBDZRuz/YikAKHe7yI/7

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3304
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\A41F.tmp.bat
      2⤵
        PID:4972

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\A41F.tmp.bat

      Filesize

      207B

      MD5

      ee81dfab52c2d9eb7bfd4c6aac23e2ef

      SHA1

      dfa24453069b1ba3a47f8a9cfd5862c5a0148576

      SHA256

      698551c013172909b924cef24f711418a0b38c562010a4df49bdd15fca8186f0

      SHA512

      85099c4f9a2d1af4ece7c8521c403a960b5b283f90e75968341671e2676d20d54d0d8179c835b1fe5683793c7fece83cc3ea628c11654385b4656d1c668dbc91

    • C:\Windows\SysWOW64\zrcbcqnw.nls

      Filesize

      428B

      MD5

      ba55add23ad9cfb45b2942270304cbbd

      SHA1

      8f2470c34f241351f3a4382a1966ee329ad1d3fb

      SHA256

      b2c5d94c7f357069d9f7ba337dc574dcd9fc7c0f2e8370bf38e0f6f336822ca2

      SHA512

      31e29581d4d603f9c88e42888b7d31004e2aeea89baf9edd9e02084f2e1a225b4b463c44e69990fae789f05b8a85117c740080c6fe1096964dd71f94e65aba27

    • C:\Windows\SysWOW64\zrcbcqnw.tmp

      Filesize

      2.2MB

      MD5

      416aa21b0a898b8e5086b19959868c69

      SHA1

      51228f66e79c3d889f70f054996c1b729c9cf43d

      SHA256

      2b047ddee1ac2880d9ca5e95caf24eb3c628f346c83a4ac0f035771d6858130c

      SHA512

      c383e318a3a0e4d26145b82e0e3060d66256c0b02e8ca42317d313d41b0a7f4c2f846bd30a40368161e5767c3e846521fc4af7424afa5c8e3577bf486cd4512a

    • memory/3304-17-0x0000000010000000-0x0000000010009000-memory.dmp

      Filesize

      36KB

    • memory/3304-21-0x0000000010000000-0x0000000010009000-memory.dmp

      Filesize

      36KB