Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/04/2024, 23:21

General

  • Target

    e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe

  • Size

    23KB

  • MD5

    e6195002fecd1cd970e80ab5b2318974

  • SHA1

    c40a15e0f8b2e521f0ae481b3339d2893970a178

  • SHA256

    bbe0a9199a171bdb993b8882ab6625a34304a2fa8889ff37b7e6b281d699cbe5

  • SHA512

    445ca53a48fb6b04ca9f333a9aa9cdd311ee3e6b82a7c60ba168bd2e7525a0066a0dc04462064ebd339b6ba2db3ac3f7fde26cafe6f4484c5d4abafa412d742d

  • SSDEEP

    384:TtkAsyopTxyeDSsKR8wFB0M0Ro551Fa+wmG9C41fKV5uakl5kNzIyeqgbueo:aAsJRDSsKRfB0M0Ro55fomGw6fKeaWk9

Score
8/10

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Sets service image path in registry 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 7 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe"
    1⤵
    • Sets service image path in registry
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall set allowedprogram 'C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe' enable
      2⤵
      • Modifies Windows Firewall
      PID:2136
    • C:\Windows\SysWOW64\kernelwind32.exe
      C:\Windows\system32\kernelwind32.exe
      2⤵
      • Sets service image path in registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5332
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall set allowedprogram 'C:\Windows\SysWOW64\kernelwind32.exe' enable
        3⤵
        • Modifies Windows Firewall
        PID:2464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\dllh8jkd1q8.exe

    Filesize

    362B

    MD5

    96dacbc0d6125a5baf02d286ea2d8277

    SHA1

    726416cce8f3b661070f9b3f30ea212e4621503e

    SHA256

    393921ae383f661a60cdb247d8600242daf919f0dfb4b1061f0ab5c7a922f443

    SHA512

    8cb5e28296ad8bcc47de26780b60fc51f81006dd04775aa0332ccecff64f7434b2ef33e17ad81ca96b16c44118bbfa19fb4325aca4eeeaa93f1d767050d2c4e3

  • C:\Windows\SysWOW64\kernelw.sys

    Filesize

    7KB

    MD5

    cc43010c40ec6907f2d0526c55495c16

    SHA1

    04f9b28b79824e20c77db44189db718b683971cf

    SHA256

    3b3fd4601090089980c93ff7607e9d3e863ce51155c56e0093871493f7a0f875

    SHA512

    b21ec29fc85f124a47ce46fb15f47643a4dc2ff521548746ca6a0d39030353c95b2cda4afe7372a85568ba464f162bf3c8060ec469e63f41775731994a6cb8f3

  • C:\Windows\SysWOW64\kernelwind32.exe

    Filesize

    23KB

    MD5

    e6195002fecd1cd970e80ab5b2318974

    SHA1

    c40a15e0f8b2e521f0ae481b3339d2893970a178

    SHA256

    bbe0a9199a171bdb993b8882ab6625a34304a2fa8889ff37b7e6b281d699cbe5

    SHA512

    445ca53a48fb6b04ca9f333a9aa9cdd311ee3e6b82a7c60ba168bd2e7525a0066a0dc04462064ebd339b6ba2db3ac3f7fde26cafe6f4484c5d4abafa412d742d

  • memory/2844-1-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/2844-6-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/5332-10-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/5332-21-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB