Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 23:18

General

  • Target

    2c32fd77b49e9b461502bd7b962b3958_JaffaCakes118.msi

  • Size

    448KB

  • MD5

    2c32fd77b49e9b461502bd7b962b3958

  • SHA1

    c1ac57ee5ff6d01ede7d6b23fd1b8521d01b77ec

  • SHA256

    2e3a530f6f30e32e7d982308747f0f9015c37e651939dc8e0982b38425e5cfa0

  • SHA512

    e3beb16e77667c3f6014ca180151c03699e0a609100abb53e5012a86588eb3f3029c9e4be48b24d9d2fc945f8e61d33fc66d218649f5e5f87b6120891f297287

  • SSDEEP

    12288:dER6Wq4aaE6KwyF5L0Y2D1PqLoHPvCMaD:dEnthEVaPqLIPs

Score
7/10

Malware Config

Signatures

  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2c32fd77b49e9b461502bd7b962b3958_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2816
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3356
      • C:\Windows\Installer\MSI74A4.tmp
        "C:\Windows\Installer\MSI74A4.tmp"
        2⤵
        • Adds Run key to start application
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:1636
        • C:\Windows\SysWOW64\WSCript.exe
          WSCript C:\Users\Admin\AppData\Local\Temp\GSVNFV.vbs
          3⤵
            PID:2460
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:3120

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\GSVNFV.vbs

        Filesize

        821B

        MD5

        5e6d5b5ec8946646b9d4f58ca913d2c6

        SHA1

        12dd2f0fad0b7628fbbe9d844f1b3e5cb3974553

        SHA256

        b9e0b5c5c71f9ed245f377e2490635befcf154bb79488d57191e473d72c2e6b2

        SHA512

        6a2cb7025929dd6f8a322e1b3a23b6e9cc870192935b4d885d9c17769637f5f9b3c8d14220790a9447435651943daa92402cbe1e06637ef5fed2c2e0ed6eb5b4

      • C:\Windows\Installer\MSI74A4.tmp

        Filesize

        420KB

        MD5

        4ea28cd3a218b4068c4a09f95a85cb78

        SHA1

        436d4d139ecabba8173c8e7927edfc738491ca44

        SHA256

        5b71772f3283bf77dab187de440e7b7879ae674985898458da1c87bdeaab0fee

        SHA512

        7f2737686021347b9e8d79d9963dd252d1fe14792cf2ec3c22792e26b310698e23409bb3548ad32a0dcea116672fdd4996161ae7e168221416cd5282659e8a27

      • memory/1636-30-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

      • memory/1636-13-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

      • memory/1636-24-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

      • memory/1636-25-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

      • memory/1636-12-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

      • memory/1636-31-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

      • memory/1636-32-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

      • memory/1636-33-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

      • memory/1636-34-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

      • memory/1636-35-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

      • memory/1636-36-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

      • memory/1636-37-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB

      • memory/1636-38-0x0000000000400000-0x00000000004CA000-memory.dmp

        Filesize

        808KB