Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2024, 03:00

General

  • Target

    114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    114fdd33396da68a0d2c01031e3fff64

  • SHA1

    14e9561ee743a4ab2bfc6c6ada9d075ab33d2ddb

  • SHA256

    f1741ebea4fc619b1d5bf3777918e1ed8003cfd04d288bc0af5b4ac2d8d2fc1e

  • SHA512

    1877bff7572b13782cb4d622f7e9dc14f800e2040ec537ce55d29960f0cfc72f511952438c428758d5c2f3b3eaab72dd0e1a035df09c55b62e7208fc0fa9ac11

  • SSDEEP

    24576:OmUxlIUzbjKjOvUYhoxs+lM6Q1zAs1ZLuTdRZc:Efb+jQoxsw1+vLCFc

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2992
    • \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
      c:\users\admin\appdata\local\temp\\wmpscfgs.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1360
    • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3476
      • \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
        c:\users\admin\appdata\local\temp\\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5004
      • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4252
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:3060
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:920 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2720
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:920 CREDAT:17416 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1408
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:920 CREDAT:17424 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1704

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

      Filesize

      1.5MB

      MD5

      afce5653550cd19050c80a2fa3d3cab5

      SHA1

      ae081eef90bb2536afddf87c52f7879dbb7fe67f

      SHA256

      0e73f025e8733d26e9cbb2f51dbc2a20d744eae58789b292a478476a8adf7962

      SHA512

      0cb163ef0b5f970fbfc0a24cce89c58692c342518e7c5e51256900128431a6e5302dc1cb244e66f51b5d54b98dc00c4eb3c7dc31a6cdc25f21783a9e372403ac

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WEG78UAE\bLWuodJrB[1].js

      Filesize

      32KB

      MD5

      f48baec69cc4dc0852d118259eff2d56

      SHA1

      e64c6e4423421da5b35700154810cb67160bc32b

      SHA256

      463d99ca5448f815a05b2d946ddae9eed3e21c335c0f4cfe7a16944e3512f76c

      SHA512

      06fdccb5d9536ab7c68355dbf49ac02ebccad5a4ea01cb62200fd67728a6d05c276403e588a5bdceacf5e671913fc65b63e8b92456ca5493dae5b5a70e4a8b37

    • C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

      Filesize

      1.5MB

      MD5

      5ae275a0ec3a057b9b84b973242ba931

      SHA1

      60694c1bbd96305b0ab400aa4668d1326805b010

      SHA256

      3fc31d8672c8e7fb1a10d3f2e8910868e3945e430f85c68a5a62a6ce16e2467f

      SHA512

      0e15a47616244fe138d933fa3837c46c3c0b073407c04eda555d155d3fbbf6dbc061b2ece305ea65bdc128b7b6ebd2fb78d351860a276d360cf09d46e2ba60fd

    • C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

      Filesize

      1.5MB

      MD5

      edf7ebc88a67b55544e70d5a670249d8

      SHA1

      3e1d1abff5fa80538a2227ff09eaa7b67f4b4e3f

      SHA256

      8cb77ff42149852207f44ae9877acca1e5d81d4585cba7db877c3653be0e83b2

      SHA512

      bfcc164c99df0e2b45472bc70bfde25ad8cf48f1d587594aaab05baacd50e05db40c39606b8b7216c9d3487ac0f84f86587dfff8294cced6b659b57f4df1ad49

    • \??\c:\program files (x86)\common files\java\java update\jusched.exe

      Filesize

      1.5MB

      MD5

      a27289d7c6082c2259056521c737b58e

      SHA1

      ec04c2b8bf2726bb9a4327d7f155d59c4c53d947

      SHA256

      1c5ede58d0e005e6fca666d3eca3fbb2536d870cd08d9e7d94b1bd232637ce3d

      SHA512

      e00231439f370cb010204b136d88adb837949d84f3f4c7085a02a2c69c2fccb4207658ecccee7ce500e314db644daf8e5c149b2fc5c20c1e02f99e24bc372ff1

    • memory/2992-0-0x0000000010000000-0x0000000010010000-memory.dmp

      Filesize

      64KB