Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    135s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2024, 17:16

General

  • Target

    4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    4733a823253e50d03fac643b86bfc988

  • SHA1

    f665d1e999f428ff6c737eed26e83790dbee024d

  • SHA256

    9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba

  • SHA512

    17c8e90f316004f38dc92e5102ee78903f7d7bf62c40231b868e8182740b9f659cc95bb9d5e19b2830671e43855f3a90d0b380cef2236213227f99fe538b1984

  • SSDEEP

    49152:hnJMKPdHuS8MaScLZuQVAUT1G2KygVRb1VAaoSjBqH3L:hn1PduU3cAp4nG1qxv

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4268
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C ping 127.0.0.1 -n 3 > nul &del "C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4756
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 3
        3⤵
        • Runs ping.exe
        PID:3848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp9C44.tmp

    Filesize

    131KB

    MD5

    e55d7f58df0b83cbb7536bfbc792d1b1

    SHA1

    a3f053ad4903a8a66431521796cc13bd5e76a189

    SHA256

    6f21fa2af712c97ea3371e87dfc7c09220142df82bdf3520593426c93121c041

    SHA512

    5f836348154acdcdde90f98ee89a54ece2c757eb86b38cc1174013a5109bd8ce3f96147c8220ebfb4ac14b733f7cf39f12e4feefed8e66dc4b2fb99cdf93161e

  • C:\Users\Admin\AppData\Local\Temp\tmp9C54.tmp

    Filesize

    46KB

    MD5

    8f5942354d3809f865f9767eddf51314

    SHA1

    20be11c0d42fc0cef53931ea9152b55082d1a11e

    SHA256

    776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

    SHA512

    fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

  • C:\Users\Admin\AppData\Local\Temp\tmp9C5A.tmp

    Filesize

    100KB

    MD5

    6d7ef092add3330a33162536d6a34a07

    SHA1

    b2646ee43195149c40daaadfada376f58169534e

    SHA256

    84d90c18fdb84664ac660760bb9a201f672407ad5bc5da01655ac0209f7c67a7

    SHA512

    579cf4851103bb8a3db2f24050c6b79229a968f0d5fb1ea92ccfb55e045b2a8ca82532200557f57052e39357b40a17ebac437007116d45de0f97d7189a3f251f

  • C:\Users\Admin\AppData\Local\Temp\tmp9CC6.tmp

    Filesize

    8KB

    MD5

    554187ec42a63490fbd24746e531a544

    SHA1

    a92399ed19fde8131a3843924c44027606e4ab2e

    SHA256

    1841c87dd39fb775f2b35f5a5a5eae82694e3c6c616aa0936990edcc0f9cafc5

    SHA512

    89eef8cb8d020a2afd58cedbab9530284cf7f14c7503e913dbac2b6c9c1f6ea8ceb4c148ecd07607ba56dd86c7f9d0de8eb3d5524d256065662fe83b4eca74dc

  • C:\Users\Admin\AppData\Local\Temp\tmp9CC7.tmp

    Filesize

    48KB

    MD5

    349e6eb110e34a08924d92f6b334801d

    SHA1

    bdfb289daff51890cc71697b6322aa4b35ec9169

    SHA256

    c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

    SHA512

    2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

  • C:\Users\Admin\AppData\Local\Temp\tmp9CCD.tmp

    Filesize

    20KB

    MD5

    49693267e0adbcd119f9f5e02adf3a80

    SHA1

    3ba3d7f89b8ad195ca82c92737e960e1f2b349df

    SHA256

    d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

    SHA512

    b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

  • C:\Users\Admin\AppData\Local\Temp\tmp9CE2.tmp

    Filesize

    116KB

    MD5

    f70aa3fa04f0536280f872ad17973c3d

    SHA1

    50a7b889329a92de1b272d0ecf5fce87395d3123

    SHA256

    8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

    SHA512

    30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

  • memory/4268-7-0x00000000052F0000-0x000000000533C000-memory.dmp

    Filesize

    304KB

  • memory/4268-8-0x0000000005530000-0x000000000563A000-memory.dmp

    Filesize

    1.0MB

  • memory/4268-12-0x0000000006700000-0x0000000006CA4000-memory.dmp

    Filesize

    5.6MB

  • memory/4268-13-0x0000000001000000-0x00000000014F8000-memory.dmp

    Filesize

    5.0MB

  • memory/4268-14-0x0000000006F80000-0x0000000007142000-memory.dmp

    Filesize

    1.8MB

  • memory/4268-15-0x0000000007680000-0x0000000007BAC000-memory.dmp

    Filesize

    5.2MB

  • memory/4268-16-0x0000000006E60000-0x0000000006EC6000-memory.dmp

    Filesize

    408KB

  • memory/4268-17-0x0000000008660000-0x00000000086B0000-memory.dmp

    Filesize

    320KB

  • memory/4268-23-0x0000000008750000-0x00000000087EC000-memory.dmp

    Filesize

    624KB

  • memory/4268-11-0x00000000060B0000-0x0000000006142000-memory.dmp

    Filesize

    584KB

  • memory/4268-0-0x0000000001000000-0x00000000014F8000-memory.dmp

    Filesize

    5.0MB

  • memory/4268-6-0x00000000052B0000-0x00000000052EC000-memory.dmp

    Filesize

    240KB

  • memory/4268-5-0x0000000005230000-0x0000000005242000-memory.dmp

    Filesize

    72KB

  • memory/4268-4-0x0000000005890000-0x0000000005EA8000-memory.dmp

    Filesize

    6.1MB

  • memory/4268-3-0x0000000001000000-0x00000000014F8000-memory.dmp

    Filesize

    5.0MB

  • memory/4268-2-0x0000000001000000-0x00000000014F8000-memory.dmp

    Filesize

    5.0MB

  • memory/4268-281-0x0000000001000000-0x00000000014F8000-memory.dmp

    Filesize

    5.0MB