Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/05/2024, 05:01

General

  • Target

    621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe

  • Size

    132KB

  • MD5

    621cfb12233c7432f6881347bded5a57

  • SHA1

    ab871369a1d336031620c6938d87a9ef69ee03ba

  • SHA256

    07b22a0e85c4f95916a66a6f603adbfd5f152fa2dcaf19603fb95e0dafcc099c

  • SHA512

    c5e365b035ca4dbfe98b2d483dd398c247e688155ca272fcd8271ead64cd23a1a7a928172d8c258c8f48290d9097050defaf873bde60570d5465ab341045266d

  • SSDEEP

    3072:+D4beJt/UAKF4ba3Hwi573QVx78b4Mt2rXH4Mzm:+D4+t/Uia3H153KK2EMS

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies file permissions 1 TTPs 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies registry class
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1396
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:392
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "SYSTEM:(R,REA,RA,RD)"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "SYSTEM:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3840
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "Administrators:(R,REA,RA,RD)"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "Administrators:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:2572
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "Users:(R,REA,RA,RD)"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3156
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "Users:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:2164
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3696
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:2364
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /tn {JBOWUEMU-JZYP-9UVS-9IWT-96YNEWJCNHMB} /tr C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}\UORT.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn {JBOWUEMU-JZYP-9UVS-9IWT-96YNEWJCNHMB} /tr C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}\UORT.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
        3⤵
        • Creates scheduled task(s)
        PID:3144
    • C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}\UORT.exe
      "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}\UORT.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\System32\netsh.exe"
        3⤵
          PID:2284
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1312
            4⤵
            • Program crash
            PID:4248
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2284 -ip 2284
      1⤵
        PID:1664

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\19041.1.x86fre.vb_release.191206-1406_x86W.dll

        Filesize

        140B

        MD5

        04e4a645391568371f1bbca9f621d8c2

        SHA1

        420218aeedaeff14c1b252c014db1a020de9f034

        SHA256

        2fe21efb5c08b860735926191ed65efc3b7f65ac07dbe4c3ce452c34bd0348d7

        SHA512

        5c625d8ea46f3b6b54ae185da254203245c17e6f3070978a0aa24e92ce48b49d5882ecb955ef2fdd14f782891bb378261495cf73dfd261b31a2f4462426917ff

      • C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}\UORT.exe

        Filesize

        132KB

        MD5

        621cfb12233c7432f6881347bded5a57

        SHA1

        ab871369a1d336031620c6938d87a9ef69ee03ba

        SHA256

        07b22a0e85c4f95916a66a6f603adbfd5f152fa2dcaf19603fb95e0dafcc099c

        SHA512

        c5e365b035ca4dbfe98b2d483dd398c247e688155ca272fcd8271ead64cd23a1a7a928172d8c258c8f48290d9097050defaf873bde60570d5465ab341045266d

      • memory/2284-37-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

      • memory/2284-38-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

      • memory/2284-39-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

      • memory/2284-42-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB