Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    108s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/04/2024, 08:52

General

  • Target

    04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe

  • Size

    92KB

  • MD5

    04d1391971c911a6e9e33780fc6fea34

  • SHA1

    f43a1618ffbd8c5cbf550af0697785e2d09c4156

  • SHA256

    e4dfe909e51a9b9724dbe4c2ddb4c5b92fc59bcd83e8d8955c4a997227edf80c

  • SHA512

    65bd6324acdaad4d19e234afcde7049d0352493b06edd639848e800242ed466807bb24f505ff4f712cdb2b6ad37b21b0f699015a098584da3acce34b789ecfd9

  • SSDEEP

    1536:veIAxtMMjEJzW2r27usjy3RwrhUc+bEjyuPu6kLaL746F+ZZnvHumdHE:XAxtrYBW2wfjy3RwdZ+E

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\7934.vbs"
      2⤵
      • Deletes itself
      PID:2808
  • C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe
    "C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe
      "C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe" Win7
      2⤵
      • Executes dropped EXE
      PID:4556
    • C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe
      "C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe" Win7
      2⤵
      • Executes dropped EXE
      PID:2500
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 432
      2⤵
      • Program crash
      PID:3908
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1788 -ip 1788
    1⤵
      PID:1324

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\7934.vbs

      Filesize

      500B

      MD5

      782aabe9e7bf63a2be014e3d077420f6

      SHA1

      8f6119e94496de6ecc7c23649575e6e730f8bde3

      SHA256

      3ce58f41ca21d6c06a84546edd4e8e4ff57868b7df445569a81518648f3278c8

      SHA512

      cb8ae4caa417216156353dc375f8f217637277c4a1cc19f0f5d2de1bd1b91bc4433a35f16de2fef3a4fb3ca6928200b051ec5d42afe9a16e700d501ee42d82b6

    • C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe

      Filesize

      92KB

      MD5

      04d1391971c911a6e9e33780fc6fea34

      SHA1

      f43a1618ffbd8c5cbf550af0697785e2d09c4156

      SHA256

      e4dfe909e51a9b9724dbe4c2ddb4c5b92fc59bcd83e8d8955c4a997227edf80c

      SHA512

      65bd6324acdaad4d19e234afcde7049d0352493b06edd639848e800242ed466807bb24f505ff4f712cdb2b6ad37b21b0f699015a098584da3acce34b789ecfd9