Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/04/2024, 23:19

General

  • Target

    e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe

  • Size

    17KB

  • MD5

    e6185d4b4ff10b58f876babe5db6bfe6

  • SHA1

    ad39f69563dac75355d8cf42f733d85da7c48aee

  • SHA256

    e2169a586ecb0a42d5b26ed7de8e3714f64652a26c89ccb883c7128224785dab

  • SHA512

    b965ef57212a48c514c229c5da784bd96734d1ece121c31fd8b7365ba7eae208e6cd0b38bff9c87bdd723606949c07f4e662a8f1210231f7d923bab585c93181

  • SSDEEP

    384:6ViwqetokTFm7iXy5kQxWLVwmERYEM0UFn/DXhlq:6j5Tc7i3Qx6mmERUjF/

Score
8/10

Malware Config

Signatures

  • Modifies AppInit DLL entries 2 TTPs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Windows\SysWOW64\lenyunsk.exe
      C:\Windows\system32\lenyunsk.exe ˜‰
      2⤵
      • Executes dropped EXE
      PID:2220
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe.bat
      2⤵
        PID:4016

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe.bat

      Filesize

      210B

      MD5

      6933dc7d4e6e364ae8bc4650876f6499

      SHA1

      6e0728e32a39fdf72847536b63042a43c698c6d9

      SHA256

      edf96aa2228fad182390c65d802910fd2e9c4280bc131bfe1a7865b5f65a37b0

      SHA512

      33ba49e8ca8344cc3aabfcf5613839f693ca583348c724adce030e983800f1f12d2e535733cc1839a43e08690a8dfa45f557e10b1c189ad40452c00f97a9ab77

    • C:\Windows\SysWOW64\lenyunsk.exe

      Filesize

      17KB

      MD5

      e6185d4b4ff10b58f876babe5db6bfe6

      SHA1

      ad39f69563dac75355d8cf42f733d85da7c48aee

      SHA256

      e2169a586ecb0a42d5b26ed7de8e3714f64652a26c89ccb883c7128224785dab

      SHA512

      b965ef57212a48c514c229c5da784bd96734d1ece121c31fd8b7365ba7eae208e6cd0b38bff9c87bdd723606949c07f4e662a8f1210231f7d923bab585c93181

    • memory/1568-0-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

    • memory/1568-6-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

    • memory/2220-7-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB