Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    135s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2024, 10:16

General

  • Target

    1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe

  • Size

    11.0MB

  • MD5

    1245085f62bf86866aabda07b1571e66

  • SHA1

    fd38a9466f2bccfd4dd4f369f8193dad7e98600a

  • SHA256

    d7520ea2598f8f4c8e00c07b649c195aa811d47a471c47a971c692988180e892

  • SHA512

    5a3aa6bbac27f596f58fee6f218f418bcb57f660721553199381d79b4fc863fab49a71a5ae3ec39264ed83f86bccda7bc1a41d7d61a52c547428ff2cb12d38d1

  • SSDEEP

    196608:f9Grhc9G2hohbUyJanVj9taZeUFtpW6u7HSbZqktxr0zQc2wxUiBebgOvjl:FGrhyG2hohQyJiXtattpW6ubSbYkt5OE

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3636
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1E4E82664528912868B4D718B6A59F0E C
      2⤵
      • Loads dropped DLL
      PID:4548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Atlassian\SourceTree 1.6.15\install\SourceTreeSetup_1.6.15.msi

    Filesize

    886KB

    MD5

    16833d30bb20361ee3a177e99ee63e88

    SHA1

    420142ca317d757f8eb2e5cf09e57544d31474f6

    SHA256

    18ec1de7a8191de24151d6517def4a45817e339b1cf485065abc0303073f00ba

    SHA512

    753f08053f3c379c656ef0019ca5943d376b38e54c1ec5c24373ae7af6d677dc9a405e3b54ed14f656b2afc4a1ed48dd9a6dadea6f321f5c092ae3326bb74579

  • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3636\STSetup_dialog.jpg

    Filesize

    14KB

    MD5

    3f4243fd51a3d9dbaf81f4fc712a67ea

    SHA1

    f0e86f29b54379810b40b61829fc20e674913eee

    SHA256

    c60da07a8edc7d37234b1a7e6af21d88ef5302bdf8c33bd45cff6b15b0599ff5

    SHA512

    2984e977fedaead6b164bfd77affa4607be22fa585dd1f8534d7f2548edc7efb0906cb40280b7f22f9a1688c2ed88c71c3a216b25c532589e330cb8cf5ee9222

  • C:\Users\Admin\AppData\Local\Temp\MSI471B.tmp

    Filesize

    91KB

    MD5

    e82cfcfc5b1e271bb0ea368ee0697cc7

    SHA1

    d8904f05ae4447b6bbb23466d73186abc5ff4db0

    SHA256

    adee901de613487edd9c80d199340875bd1faed7b999eee452e6b136865bca28

    SHA512

    964738a62a85ef52e8cd16c54bfe85a8e24f614c26d4809ddc153276b2012de475e3011c98f59f5dd37e60f0f9e9da4c8b1df5c2c34224a9dc1bf714febd040c

  • C:\Users\Admin\AppData\Local\Temp\MSI4846.tmp

    Filesize

    297KB

    MD5

    510f289eef8c9f856466e58796553029

    SHA1

    a1a7a7b96fa2b087b2e2152bffd0a84557b807e1

    SHA256

    cf8d8ad4abe18a60292083867749793ea40d274664abd49d3acf2ba9a305e7a0

    SHA512

    e66292583d165e68bb02a6fca55041d1079a5b18805ac357d749f4cc6f9a9cd2456866366b3d2dd297695db858c572789e6a73654d73a73caae047efc4b4fcf6

  • memory/3636-0-0x0000000002620000-0x0000000002621000-memory.dmp

    Filesize

    4KB

  • memory/3636-69-0x0000000002620000-0x0000000002621000-memory.dmp

    Filesize

    4KB