Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    155s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/04/2024, 01:06

General

  • Target

    f929aaec00525d6dd357e05d53922f38_JaffaCakes118.exe

  • Size

    396KB

  • MD5

    f929aaec00525d6dd357e05d53922f38

  • SHA1

    04d29ebb0c66bc30f045385afa1130fdf393f15f

  • SHA256

    24383293f8e128bf02be51a5bee374de9fe9029f26ef192ce07aab2a29f03760

  • SHA512

    5349680df2b7f515f92a8565113c6514be53b85e09088b4b4a76619245b6988c5bf78166aea5f19acbec3891eb7269b1a9668c76d3ed00f3e0d41df10638ae36

  • SSDEEP

    6144:PD4RK2HCKK4cq2QvTkpQ7CU9/Jg3nAzfYxmdBiPyFRfOjd:r44lKkEpCAzfYy7fOjd

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f929aaec00525d6dd357e05d53922f38_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f929aaec00525d6dd357e05d53922f38_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3372
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 676
      2⤵
      • Program crash
      PID:5024
    • C:\ProgramData\jM01812BdMgM01812\jM01812BdMgM01812.exe
      "C:\ProgramData\jM01812BdMgM01812\jM01812BdMgM01812.exe" "C:\Users\Admin\AppData\Local\Temp\f929aaec00525d6dd357e05d53922f38_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3172
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 668
        3⤵
        • Program crash
        PID:4780
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3372 -ip 3372
    1⤵
      PID:116
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3172 -ip 3172
      1⤵
        PID:2964
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:3964

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\jM01812BdMgM01812\jM01812BdMgM01812

          Filesize

          192B

          MD5

          8a1f87c42668e041cea2abb42994c8d2

          SHA1

          756ddae02064371f604142eacf26b2bcd1062000

          SHA256

          bb7fbe2d3187ce65b84ef3d944d1b8caa744ef824b33bbf1092fbdedcce2abc1

          SHA512

          9eb898e56462ad60ed2e7e9e0d38d500bb9dc5e5a5fc7cc513937c849f38ca62cbd56ed1a1617714daaa2c88f797c126235b9f86feafa389b27ac527b9a60d81

        • C:\ProgramData\jM01812BdMgM01812\jM01812BdMgM01812.exe

          Filesize

          396KB

          MD5

          345fc64e68efc6da6ad131118ced53bf

          SHA1

          1f6a7fa1b04b176d71765bf91b0494a26305e89f

          SHA256

          5e35e0ba5e0de733b0ce3097e2339d14883ce362cf624dd24ab362656715403f

          SHA512

          8a86dd98ad69430be943b07f6fe29e5b7f8d05cdca0e1331147fac97b3679f5d839e728569c00af7492e48a1da64f462cabd5b68967a7a8190f26cd38aeee67b

        • memory/3172-18-0x0000000000400000-0x00000000004F0000-memory.dmp

          Filesize

          960KB

        • memory/3172-24-0x0000000000400000-0x00000000004F0000-memory.dmp

          Filesize

          960KB

        • memory/3172-30-0x0000000000400000-0x00000000004F0000-memory.dmp

          Filesize

          960KB

        • memory/3172-32-0x0000000000400000-0x00000000004F0000-memory.dmp

          Filesize

          960KB

        • memory/3172-33-0x0000000000400000-0x00000000004F0000-memory.dmp

          Filesize

          960KB

        • memory/3372-0-0x0000000002350000-0x0000000002352000-memory.dmp

          Filesize

          8KB

        • memory/3372-1-0x0000000000400000-0x00000000004F0000-memory.dmp

          Filesize

          960KB

        • memory/3372-2-0x0000000000400000-0x00000000004F0000-memory.dmp

          Filesize

          960KB

        • memory/3372-8-0x0000000000400000-0x00000000004F0000-memory.dmp

          Filesize

          960KB

        • memory/3372-15-0x0000000000400000-0x00000000004F0000-memory.dmp

          Filesize

          960KB