Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    138s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/04/2024, 06:47

General

  • Target

    feb0bf5b0d7f6820c330fa45091cd189_JaffaCakes118.dll

  • Size

    2.2MB

  • MD5

    feb0bf5b0d7f6820c330fa45091cd189

  • SHA1

    a1f50429415bc7cbf1706c22dfdca734173fb9ac

  • SHA256

    474fe0f75ec639814eac17468c8ce29908ed30f3665457d864cffa6540047ea0

  • SHA512

    07f208c66899c0f298037dd8aab4d772e2ef6321a36519112e5d677170a58ee19d69e8a397ae0cb485cc1f2c71d82b55c004d96cf40c459fbda3b405602670f8

  • SSDEEP

    24576:52WdDKT6lr1CDu2ruh59hmxxJNOjOAUBJjlD4qH5vlalua2UotfG6o:53DlBEidgxJN5AejlD4uvlab2UotfG

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Drops file in System32 directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\feb0bf5b0d7f6820c330fa45091cd189_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\feb0bf5b0d7f6820c330fa45091cd189_JaffaCakes118.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4792
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat
        3⤵
          PID:4520
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat
          3⤵
            PID:3960
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat
            3⤵
              PID:3360
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat
              3⤵
                PID:3160
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat
                3⤵
                  PID:3932
                • C:\Windows\SysWOW64\Regedit.exe
                  Regedit.exe /s "C:\Windows\SysWOW64\arun.reg"
                  3⤵
                  • Modifies WinLogon for persistence
                  • Runs .reg file with regedit
                  PID:3296

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat

              Filesize

              158B

              MD5

              b0a27860ea12fd07015510c5c35c7554

              SHA1

              535e08f7a8759f019fb085554675034faca50bb3

              SHA256

              1c62ea2659178f376ddcc36492ffc6c4a0c08c78436566f20170bbe3b02d9cd9

              SHA512

              f4af7e332e6b866501a79cc98a76fa1f1fa3a24d61f27a188b503c64360140dd67e0b9bb60590e8f1b5369413a1cc5d8929ea2f8ff1db843a5d8098aca5c884a

            • C:\Windows\SysWOW64\11D18gXgg.dll

              Filesize

              921B

              MD5

              b7d9db6b08668f6225b47354d1625d57

              SHA1

              47068158132fe367904bbffe71d6445ba4a87b8d

              SHA256

              db4a5ad033e9052a1a709ec47e9b1bcd7afb9f3c799ef7c9451871593febb0ff

              SHA512

              e8bc3753bfb3e82c8e5865be23c8c976d8c7d96db5e5ec5fa80dc1c526f4af5f4e7876a7e1e756db1bff227cbd2d57ac69c7157173c0fe575fb7b345f8d1759e

            • C:\Windows\SysWOW64\11D18gXgg.dll

              Filesize

              1KB

              MD5

              03870ec18f067da58cb6253c2fad3265

              SHA1

              fb8e064476fb3af2faf3a977835bb3b284cf4a33

              SHA256

              f2c43e0bb1465011d8b66ddb6c9bd206e37c512d9096546d0990952ac5ada770

              SHA512

              a3c58f60a0af99d1e5640a663807f5ea0f5a812e15f9ba385a38f93a4267ea6493931aad304645bc158131cfa5fee54052330295d3b2b934f9aa0212b4ca9ef1

            • C:\Windows\SysWOW64\arun.reg

              Filesize

              149B

              MD5

              adfc8b71e83fe2857ee9679492f69327

              SHA1

              691d668a9bafd29397d07d40f7a9835c2a69995b

              SHA256

              ce08d9de9b28cee3e147505a99335f3b7f5ab1b82dc009032864c0c1b911cd3c

              SHA512

              13f37167233bf6b00c0f23174e336f7abfbcded6e7bf8d6d5d146459a74f03cfe96a6e414d5ebfe55967be4c02a3f4e6f23cc2c5333180338a45ad7507ced822