Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    137s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 18:08

General

  • Target

    f65e53031dd147cba479d30d495467df_JaffaCakes118.exe

  • Size

    29KB

  • MD5

    f65e53031dd147cba479d30d495467df

  • SHA1

    0dddd9947c23a832326af732827ac06561ffae36

  • SHA256

    bc3be7d0c255b8ea25426a4e357539fb716fc882a3b1e17001e9364d3d22ad59

  • SHA512

    ad95df5bd59ad28b48bc380db48963b06c5b7ddaab57f5cebfc29768c6c04e7b3bc19474ea2be878b700e04e58ba34c66ed40cbd37a834df5aeee9b8591a7441

  • SSDEEP

    768:nUKHqS2l31I8KcR8aKyqkKuhDFr6PG2BbC:zH/2lFI8D8brqDt6+YbC

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Sets file execution options in registry 2 TTPs 60 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 43 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f65e53031dd147cba479d30d495467df_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f65e53031dd147cba479d30d495467df_JaffaCakes118.exe"
    1⤵
    • Sets file execution options in registry
    • Checks computer location settings
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c net stop McShield
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Windows\SysWOW64\net.exe
        net stop McShield
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5032
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop McShield
          4⤵
            PID:2136
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c net stop KWhatchsvc
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3708
        • C:\Windows\SysWOW64\net.exe
          net stop KWhatchsvc
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:872
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop KWhatchsvc
            4⤵
              PID:4960
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c net stop KPfwSvc
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4832
          • C:\Windows\SysWOW64\net.exe
            net stop KPfwSvc
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4100
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop KPfwSvc
              4⤵
                PID:1784
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c net stop "Symantec AntiVirus Drivers Services"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1480
            • C:\Windows\SysWOW64\net.exe
              net stop "Symantec AntiVirus Drivers Services"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4940
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Symantec AntiVirus Drivers Services"
                4⤵
                  PID:1552
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c net stop "Symantec AntiVirus Definition Watcher"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2688
              • C:\Windows\SysWOW64\net.exe
                net stop "Symantec AntiVirus Definition Watcher"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1404
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Symantec AntiVirus Definition Watcher"
                  4⤵
                    PID:4752
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c net stop "McAfee Framework ·þÎñ"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4068
                • C:\Windows\SysWOW64\net.exe
                  net stop "McAfee Framework ·þÎñ"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4836
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "McAfee Framework ·þÎñ"
                    4⤵
                      PID:2020
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net stop "Norton AntiVirus Server"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3572
                  • C:\Windows\SysWOW64\net.exe
                    net stop "Norton AntiVirus Server"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4568
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "Norton AntiVirus Server"
                      4⤵
                        PID:1360
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net stop DefWatch
                    2⤵
                      PID:4880
                      • C:\Windows\SysWOW64\net.exe
                        net stop DefWatch
                        3⤵
                          PID:3404
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 stop DefWatch
                            4⤵
                              PID:2920
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c net stop "Symantec AntiVirus Client"
                          2⤵
                            PID:2464
                            • C:\Windows\SysWOW64\net.exe
                              net stop "Symantec AntiVirus Client"
                              3⤵
                                PID:2100
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 stop "Symantec AntiVirus Client"
                                  4⤵
                                    PID:2432
                              • C:\Windows\SysWOW64\0.pif
                                C:\Windows\system32\0.pif
                                2⤵
                                • Drops file in Drivers directory
                                • Executes dropped EXE
                                PID:3828
                                • C:\Program Files\Internet Explorer\iexplore.exe
                                  "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
                                  3⤵
                                  • Modifies Internet Explorer settings
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SetWindowsHookEx
                                  PID:4708
                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4708 CREDAT:17410 /prefetch:2
                                    4⤵
                                    • Modifies Internet Explorer settings
                                    • Suspicious use of SetWindowsHookEx
                                    PID:4864
                              • C:\Windows\SysWOW64\cacls.exe
                                "C:\Windows\System32\cacls.exe" C:\Windows\system32\packet.dll /e /p everyone:f
                                2⤵
                                  PID:4360
                                • C:\Windows\SysWOW64\cacls.exe
                                  "C:\Windows\System32\cacls.exe" C:\Windows\system32\pthreadVC.dll /e /p everyone:f
                                  2⤵
                                    PID:3272
                                  • C:\Windows\SysWOW64\cacls.exe
                                    "C:\Windows\System32\cacls.exe" C:\Windows\system32\wpcap.dll /e /p everyone:f
                                    2⤵
                                      PID:4956
                                    • C:\Windows\SysWOW64\cacls.exe
                                      "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\npf.sys /e /p everyone:f
                                      2⤵
                                        PID:3096
                                      • C:\Windows\SysWOW64\cacls.exe
                                        "C:\Windows\System32\cacls.exe" C:\Windows\system32\npptools.dll /e /p everyone:f
                                        2⤵
                                          PID:2692
                                        • C:\Windows\SysWOW64\cacls.exe
                                          "C:\Windows\System32\cacls.exe" C:\Windows\system32\wanpacket.dll /e /p everyone:f
                                          2⤵
                                            PID:1828
                                          • C:\Windows\SysWOW64\cacls.exe
                                            "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\acpidisk.sys /e /p everyone:f
                                            2⤵
                                              PID:3964
                                            • C:\Windows\SysWOW64\cacls.exe
                                              "C:\Windows\System32\cacls.exe" C:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f
                                              2⤵
                                                PID:3976
                                              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                                                "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.baiduoo.com/tj.htm
                                                2⤵
                                                • Modifies Internet Explorer settings
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of SetWindowsHookEx
                                                PID:2168
                                                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:17410 /prefetch:2
                                                  3⤵
                                                  • Modifies Internet Explorer settings
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:5052
                                                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:17416 /prefetch:2
                                                  3⤵
                                                  • Modifies Internet Explorer settings
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:4360
                                              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                                                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                                                2⤵
                                                • Modifies Internet Explorer settings
                                                PID:4016

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

                                              Filesize

                                              471B

                                              MD5

                                              a4660977d10a286a0ff606b3734933d5

                                              SHA1

                                              5221b082deb7586bb7de50321fe0c3b9266c045e

                                              SHA256

                                              3d925398397bc5939b5c54c2fd662e344b7d0a74743fbc5543473d1875781f1f

                                              SHA512

                                              2970ab07715bc77343dcca22c0be250d7360f318d7fde3738becec769b0fa0fe8ddcd651a94edd7799bc18334d89fa24a0224201d3ba766756f8e75989bb0e66

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

                                              Filesize

                                              412B

                                              MD5

                                              49bf21129872263715a4591695106c98

                                              SHA1

                                              dff76f265948458d5f038a454e8d465102e5aa1c

                                              SHA256

                                              f34e7c52d91b3962a7a0478906035abf48ebd13499197fbeddbffdf53ee2799c

                                              SHA512

                                              83a46881fa9ca51477d9ced406b08aaab34664b399987f01a3022ee8fbeb901977b74b2902812eb00eefb8d18af18a51eb6f1f675c8a1a87152ee0db9b8dba53

                                            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{330111DC-909A-11D8-9C52-7E7946C1FF9B}.dat

                                              Filesize

                                              5KB

                                              MD5

                                              679989af340e1aa28432490fdbfcd265

                                              SHA1

                                              142e927c7517aa17c593641dd0a61a56661cbac4

                                              SHA256

                                              2052ecbee13c43b221d2b9e8394959fb2784725d19a57d6c4b4891e5e657496f

                                              SHA512

                                              ca58fec7eb55c2a642b676689309d41b0838247f9a11b6eed48fb0c1b9aa9e38266f16b068cc17ca1b8b3b25560dc4ec6071a14733e4595ad0a4e5944e93a2f7

                                            • C:\Windows\SysWOW64\0.pif

                                              Filesize

                                              7KB

                                              MD5

                                              ed39b3accc3428934a21772438640be5

                                              SHA1

                                              796bf164ff32f1e7453d31988fcf7b2c5e072ed4

                                              SHA256

                                              a6a2a4c186b787bc13242f0ab1b5c0b422aa978847da0841539db848faff1fd3

                                              SHA512

                                              d87af3b1597973497808c215df184640487d9a5e32961b74345bde2fb3d2dedce98bcac5384f096ae533e14961ecf138ecf27b2e731ef3e2659d55bd021e2ff1

                                            • memory/1864-0-0x0000000013140000-0x000000001315D000-memory.dmp

                                              Filesize

                                              116KB

                                            • memory/1864-7-0x0000000013140000-0x000000001315D000-memory.dmp

                                              Filesize

                                              116KB

                                            • memory/3828-5-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/3828-6-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB