Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/04/2024, 10:02

General

  • Target

    fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe

  • Size

    208KB

  • MD5

    fc81235e35bc93e91cd97ec890c02b74

  • SHA1

    b12a844774261070d3123de14371afe1588c74f2

  • SHA256

    80e70808c8138bd4c11cb151e3ac1e35e550c545d7670206499da8e8b0f6a953

  • SHA512

    c3bfaae2c669143275d48d2b1d02565a6341be254e5dd5614d0882cb6084fbc6d95e3a12c46def8b00a2c3beb807b912694e96a9449d10ce92815c0d2693235e

  • SSDEEP

    6144:hl4mjZF//MrI3L0SksjkIwUc7zJ66cgDKgr8wVcmzt:Zr//eMkhIwUc70mD/Bcmz

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:8
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\105.tmp\vir.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4152
      • C:\Users\Admin\AppData\Local\Temp\u.dll
        u.dll -bat vir.bat -save fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe.com -include s.dll -overwrite -nodelete
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2172
        • C:\Users\Admin\AppData\Local\Temp\431.tmp\mpress.exe
          "C:\Users\Admin\AppData\Local\Temp\431.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe432.tmp"
          4⤵
          • Executes dropped EXE
          PID:4900
      • C:\Windows\SysWOW64\calc.exe
        CALC.EXE
        3⤵
        • Modifies registry class
        PID:3660
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4920
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3820 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4424

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\105.tmp\vir.bat

      Filesize

      1KB

      MD5

      3f9d41dcc7d7787236d2686e50750b32

      SHA1

      17ec9a93fed688a6529fb857c22f619e6cf45f5f

      SHA256

      472e148396788a4b678d4c7ed237e7c5577ad4758c9fee990bdbeb36f802232c

      SHA512

      0cdace403fb99c76ab8c73c349e61f4cb6c155cf43bd7d528e6d6b200fdea5a7c55cf302edd817244b1054b5f0cac486722a367766ed7cc3cccf4abd86ea8d38

    • C:\Users\Admin\AppData\Local\Temp\431.tmp\mpress.exe

      Filesize

      100KB

      MD5

      e42b81b9636152c78ba480c1c47d3c7f

      SHA1

      66a2fca3925428ee91ad9df5b76b90b34d28e0f8

      SHA256

      7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

      SHA512

      4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

    • C:\Users\Admin\AppData\Local\Temp\exe432.tmp

      Filesize

      41KB

      MD5

      9cdcf02f847ddde1f3b62c676c5cc737

      SHA1

      1e28bc7716cb6adb55b1b397dbabbe31adba3cf2

      SHA256

      d7726cc05bcd788912a23fc85f233775da28cb0d4d2920c2be66e5cc69e2b7ae

      SHA512

      438303dceafa36ac40271d6b7759248357109cc479a53dd4eb472ab35d51f333f629be2da54fc113bcdcf2bb4bdf4201b5075351842d20d7e818c80a31b88e92

    • C:\Users\Admin\AppData\Local\Temp\mpr125A.tmp

      Filesize

      24KB

      MD5

      8dd52bfe2f56ec20402bef5dafe49e83

      SHA1

      c29e3c436ab92db5326b5d31455202accf8cc98f

      SHA256

      e35ee21199e637983ccc35c7b648e694f6e5d6993ec12fe99db553270331a880

      SHA512

      ede99c417e95ef2fd36e8532d7e90cc4ba81800a8d826a0a17ee87e48152013e1cda09bdc1b74f567ee393248a283a443297c9e249ccd544cfb6fcd1ee2b8871

    • C:\Users\Admin\AppData\Local\Temp\s.dll

      Filesize

      700KB

      MD5

      ac3e2f16df5b8e004bc7528957957c95

      SHA1

      318dfb96abdc8e9d3778788dfdbb1f3dba885fba

      SHA256

      c53ac431faed8f5ab7c67b254f913efe0dceaafdbf26b02b930d07f45d840fe2

      SHA512

      4c60d3b255c38807a104e4362493dbf651fb8893633e94ee9a4c69770773f8d7bf95d310051154b9bd74d6eb1993626a5eb107e74e891d681f0398c64a7ebaf4

    • C:\Users\Admin\AppData\Local\Temp\vir.bat

      Filesize

      1KB

      MD5

      7d835ca670a67d265dfc3109269b5d39

      SHA1

      6c6de3dcace396aa12e7fa1bc316ed3f108e34f2

      SHA256

      dadc386394b7609e551df7be525a868b388c0585f6ef705978fb1965a9e1bc21

      SHA512

      18d88a08944a68bd1831874a18b10de4fff3c5c023a802afa227093a647d176e2af4c37736ceb6ce5193516e6f2d831423de1481344fd89b28e0e1a8bc3e0e91

    • memory/8-0-0x0000000000400000-0x00000000004BF000-memory.dmp

      Filesize

      764KB

    • memory/8-1-0x0000000000400000-0x00000000004BF000-memory.dmp

      Filesize

      764KB

    • memory/8-71-0x0000000000400000-0x00000000004BF000-memory.dmp

      Filesize

      764KB

    • memory/4900-56-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4900-63-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB