Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 18:23

General

  • Target

    262132653358194edf6a20bd6477825b_JaffaCakes118.exe

  • Size

    2.2MB

  • MD5

    262132653358194edf6a20bd6477825b

  • SHA1

    7f51c6ae16a71abac42ee32f4973250b92839282

  • SHA256

    9bbc1ed623d8ff84aed6a4ad000cdf10165a2ead32896aa02b7525c40ffffe3b

  • SHA512

    b88b80bdf663f94bd75f3c7ab55805fce229635f9044a8f3aaf0f57405447a0431ecfd71fa8059b524c71d14ac18a3a7a4d7e58bf29af25ba121c4462521f644

  • SSDEEP

    49152:IkxOm+7TjsPnztyDMmaf0qC6TuRhB0Cd4Ik0ZD5FJ9X+:IJotyDJTuIRZD5FLX

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies boot configuration data using bcdedit 1 IoCs
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NTFS ADS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\262132653358194edf6a20bd6477825b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\262132653358194edf6a20bd6477825b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c echo 2
      2⤵
        PID:4200
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4544
        • C:\Windows\system32\bcdedit.exe
          C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD
          3⤵
          • Modifies boot configuration data using bcdedit
          • Suspicious use of AdjustPrivilegeToken
          PID:3432
      • C:\Users\Admin\AppData\Local\Temp\262132653358194edf6a20bd6477825b_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\262132653358194edf6a20bd6477825b_JaffaCakes118.exe"
        2⤵
        • Executes dropped EXE
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:180
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1080
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4392

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\FRST\Logs\up64

        Filesize

        11B

        MD5

        e2745b02d17175b9b46412c83b8b2b4f

        SHA1

        fe0facf9afe5a68723515feba8452ed2837f61d4

        SHA256

        047d80578830db380f60e70ad8ab56d32cb5dd5d5c0a3a90ec70ab85df7b7c86

        SHA512

        bc7a54af98c9a72bbbab08bbbf7d431fccdcca85582833459e9172610d67e307ed8ee872c473336f4ff3858c1c43edc61a2aa87ca2334019f62a2c53ba9095d2

      • C:\FRST\m9Ek0Wc1Xq2L\NTUSER.DAT

        Filesize

        2.2MB

        MD5

        1e77764884338aeb8ace7b631adb2426

        SHA1

        dc28b7e5f5836f6ffa38b219c526c1f0aced62dd

        SHA256

        664e0fe460295aacf2dfd8148c32ce86e79ff2780a1952fc1fba4aa06ca13423

        SHA512

        3a97143703e25d6f5b3e93c71555719a6fc7485c15ce244a4d7b052c80497ed27cf72d5f173cfb76cad11422f96dac214639867e73d65b8fd8ddb3343c84fab4

      • C:\FRST\m9Ek0Wc1Xq2L\UsrClass.dat

        Filesize

        4.2MB

        MD5

        4733474f42440e1a1c52861e89b5a94c

        SHA1

        359b7ef7c876df294e105e44f5c1e3e916c8766a

        SHA256

        a913857191e4a9ca7f57249a3d7508a57261d16ad9bc4ca3f2cc0dbe136cbb80

        SHA512

        6c05670259bf359c7d7f6a9e3cf3b1d2d0460f5d6a8fdb6b373808536c20a639a0f4bb1ae21271d45676565c05113e28f0971ba9c86522fa12d72b68d9c6f20a

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

        Filesize

        717B

        MD5

        822467b728b7a66b081c91795373789a

        SHA1

        d8f2f02e1eef62485a9feffd59ce837511749865

        SHA256

        af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

        SHA512

        bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

        Filesize

        299B

        MD5

        5ae8478af8dd6eec7ad4edf162dd3df1

        SHA1

        55670b9fd39da59a9d7d0bb0aecb52324cbacc5a

        SHA256

        fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca

        SHA512

        a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

        Filesize

        192B

        MD5

        7fa51e4d0959c08d365baf6baca2bfd0

        SHA1

        b3daf02c29f10ed5b533003480fab2d8cca195f2

        SHA256

        ce6d77b0dd70c85036779d67d0509703f02aa779348ca0c515b79295429a4585

        SHA512

        51c9d2bb343fc107876ab4de1a7012d5f5598da5b35e2085923508baee0d889764ed3338a66cb2a218fc0013a17dde05e3eac861185c50347f4481277fc1b1e8

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

        Filesize

        192B

        MD5

        dcc07c47d71461533f39173e5a972996

        SHA1

        d36afa651b0ccad33562aa036706aaa6c9ef035d

        SHA256

        ca3abd901a8e8779863575b3a2ae51784da38e7b1401e7d2f81ab9285f27a6e6

        SHA512

        a9bb7915289b8c07c5c9fb140b4c7b6f629f74519a2463c20140f965f8bbbbb9b5bbfe7c9f273725a4d8edf8e3733270f594f6c10c7f7db5a4c349e08395ddd6

      • C:\Users\Admin\AppData\Local\Temp\262132653358194edf6a20bd6477825b_JaffaCakes118.exe

        Filesize

        2.3MB

        MD5

        120f574ee9576a25c66d15e092e342ce

        SHA1

        84e65506eb6f0f02b069c9e323b647af957484f5

        SHA256

        181b6f58321032cbbef46e672238268f91eb2dec2ec1762f2510ca42098b049e

        SHA512

        119ce0dc5e1778e1b200869866f761fc71125617d31bf0426edc81ea883824597996b8c57197c683fc487426d9512530bd4b78076ac54ee91454022311e0f3af

      • memory/1188-114-0x00007FF763640000-0x00007FF76387A000-memory.dmp

        Filesize

        2.2MB