Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    9s
  • max time network
    13s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/04/2024, 17:05 UTC

Errors

Reason
Machine shutdown

General

  • Target

    f3edb2e5f49810617e3c19fa2ac2fe9d_JaffaCakes118.exe

  • Size

    588KB

  • MD5

    f3edb2e5f49810617e3c19fa2ac2fe9d

  • SHA1

    2c00ddf967a41858bad7b0c49461901ba0f3119b

  • SHA256

    a57e819e901e40d98f98d1cc654c6c7fabe9569e465b2ed1734034348816a09a

  • SHA512

    df7bb2f49dd2a17abc83f45bcb955dd4c3581dfc29799c4c7f1f8c4573f63e100eb909d0078478e80f5a022245813f37fe918a0fb69f79a9ce3524c0da9bcfd9

  • SSDEEP

    12288:wPnXr5REk7oMh+xjL1AIV/pqmN2uSN0W4U6p4NqdoEtjzjCoz0wZmuOmv9a:gXr5aMhK1AIV/AfNl4L4NaNtjvC5ymum

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3edb2e5f49810617e3c19fa2ac2fe9d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f3edb2e5f49810617e3c19fa2ac2fe9d_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Maps connected drives based on registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:3192
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39b2855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1704

Network

  • flag-us
    DNS
    72.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.52.96.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.52.96.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    249.197.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    249.197.17.2.in-addr.arpa
    IN PTR
    Response
    249.197.17.2.in-addr.arpa
    IN PTR
    a2-17-197-249deploystaticakamaitechnologiescom
  • flag-us
    DNS
    21.114.53.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.114.53.23.in-addr.arpa
    IN PTR
    Response
    21.114.53.23.in-addr.arpa
    IN PTR
    a23-53-114-21deploystaticakamaitechnologiescom
  • flag-us
    DNS
    25.63.96.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.63.96.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    79.121.231.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.121.231.20.in-addr.arpa
    IN PTR
    Response
  • 94.244.80.60:80
    f3edb2e5f49810617e3c19fa2ac2fe9d_JaffaCakes118.exe
    156 B
    3
  • 138.91.171.81:80
    52 B
    1
  • 8.8.8.8:53
    72.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    72.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    198.52.96.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.52.96.20.in-addr.arpa

  • 8.8.8.8:53
    249.197.17.2.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    249.197.17.2.in-addr.arpa

  • 8.8.8.8:53
    21.114.53.23.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    21.114.53.23.in-addr.arpa

  • 8.8.8.8:53
    25.63.96.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    25.63.96.20.in-addr.arpa

  • 8.8.8.8:53
    79.121.231.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    79.121.231.20.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3192-0-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

  • memory/3192-1-0x0000000000700000-0x0000000000701000-memory.dmp

    Filesize

    4KB

  • memory/3192-4-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.