Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/04/2024, 19:55

General

  • Target

    f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe

  • Size

    408KB

  • MD5

    f436ee86c9aa9c0dda6358a6c58f390a

  • SHA1

    85c8956ff4404c81734576673b63202dec2d1bb5

  • SHA256

    4eaf2a90b0cf7e4c1df1670f3c9d25bee9f245a4e8f7fe3d02a225a4077378fd

  • SHA512

    125558319620fd6d90403e50965d3c85d6f66db523e88bee6235f94147424c347d6603bceb64f961340e5dcec4bbc48b2d403aafe4487e430db8bd5a9a6fd0dd

  • SSDEEP

    12288:jOxhyZqMU8BBFesAMmDQmqO+48Z8PmSy:yxU8ByAMmDPE

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3260
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c .\TALme.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4872
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:\Windows\system32\client.exe -h -r -s
        3⤵
        • Views/modifies file attributes
        PID:2368
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:\Windows\system32\Explorer.exe -h -r -s
        3⤵
        • Drops file in System32 directory
        • Views/modifies file attributes
        PID:1156
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:\Windows\system32\internat.dic -h -r -s
        3⤵
        • Views/modifies file attributes
        PID:1364
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:\Windows\notepad.jmp -h -r -s
        3⤵
        • Views/modifies file attributes
        PID:1424

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TALme.bat

    Filesize

    363B

    MD5

    ac5efe21e1b1f47f1db39aaeac450d32

    SHA1

    9c0c7baf260fa29797411762e6ffc81be0cc5909

    SHA256

    5cc75cad64ad86d63ef590b5e2d79d2c054fb42c863b7bc5e63a35986ce37894

    SHA512

    0ac9b2622c38a6e5b3e3d846442b92371b4ade85960d15c87e36f4566f589e9416327f160bda824e21f036b545902ac3bab4b824d0ff6d1601d4cf60f6660703

  • memory/3260-0-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

  • memory/3260-1-0x0000000002310000-0x0000000002311000-memory.dmp

    Filesize

    4KB

  • memory/3260-5-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

  • memory/3260-7-0x0000000002310000-0x0000000002311000-memory.dmp

    Filesize

    4KB