Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/06/2024, 21:19

General

  • Target

    964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe

  • Size

    748KB

  • MD5

    964be19e477b57d85aceb7648e2c105d

  • SHA1

    6c8ab56853218f28ac11c16b050ad589ea14bafe

  • SHA256

    9843ceaca2b9173d3a1f9b24ba85180a40884dbf78dd7298b0c57008fa36e33d

  • SHA512

    60379f9bf7f4e59f81f95898d1b0c10ea82abd306dbdf4dfef921e873bf4c3d2c4914d498efa16d60c52171a1802099c3c61289a12c64f13ea9457cd807ce4ca

  • SSDEEP

    12288:0EI6h2sJXCB1joFX4HcTHQPviK5qXOlL29huNghWdLzqCTz0MDNhmku02k//m1:0EPXCzoXPQR5qXfDsghWxnTz0eNhFn2c

Score
8/10

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in Windows directory 4 IoCs
  • Modifies registry class 8 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\NetWork\dat.dll" IncrementPageCount [303]
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4564
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\cmd.exe /c C:\Windows\system32\CompMgmtLauncher.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3152
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Windows\system32\CompMgmtLauncher.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:672
          • C:\Windows\system32\CompMgmtLauncher.exe
            C:\Windows\system32\CompMgmtLauncher.exe
            5⤵
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:3080
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\wserver.exe
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4728
              • C:\Users\Admin\AppData\Local\Temp\wserver.exe
                C:\Users\Admin\AppData\Local\Temp\wserver.exe
                7⤵
                • Sets DLL path for service in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3032
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\writeservice.bat"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1740
                  • C:\Windows\SysWOW64\PING.EXE
                    ping 127.0.0.1
                    9⤵
                    • Runs ping.exe
                    PID:3468
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\delself.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4868
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1168
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3580
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe Nwsapagent 3580
      2⤵
        PID:4156
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs
      1⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe Nwsapagent 2416
        2⤵
          PID:3260

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\NetWork\dat.dll

        Filesize

        212KB

        MD5

        fff3c03e6c455eaba70ec816a4439b95

        SHA1

        e102a2ff536d2df93ec9c507e52c04bba773b550

        SHA256

        9969fc3043ed2917b76b6dbae36bd2e0846b90e9d93df4fc4f490fdf153da435

        SHA512

        c07edbc760e769dc0dc6adcd83f2b9b7fa3e845286f19dfbfe8bb8df56bbdbc8b4e5f0e794834d3ecfcf37ea7de8011f86d9153dfec6603f2fa4fc0d5c1414d9

      • C:\ProgramData\NetWork\key.dat

        Filesize

        261KB

        MD5

        ae755e20cd3a6f2721096736c5c3aed5

        SHA1

        53ab54c2c3ea3d6921fa2bf5fde69255dc41fbed

        SHA256

        1687af091d38108eeed634c0539b9639c6128aed9588a370f51a957bee534f39

        SHA512

        73b68961457b2525a4703ea8486f37d4beabdb4f85c65971cfa953e0a3dd36724811a12a933b291b34f11a5d8b4cb11d4af3747e2506c345ab81bcae3fb8f810

      • C:\ProgramData\resmon.res

        Filesize

        2KB

        MD5

        12547deaeccf3c2089669889787a3fe8

        SHA1

        7ad71ad103d41f596c934c8b7be39561a9f908d9

        SHA256

        e935dd62556538f08b020d5b2246702f08fd08880a99704466b9a852c23d073a

        SHA512

        a0c416efe352fc704491ea2d82334155b1b79449857baf72edfb8e7a36730b571c17e38f4ac9815a413b2add2dcdcc58ebfe9aa0df51cc18b28c07b93e1f2f9a

      • C:\Users\Admin\AppData\Local\Temp\delself.bat

        Filesize

        299B

        MD5

        13aaf8bf3813fac2b81c80abf3302911

        SHA1

        fd8f5360af4ca87da0f09558b9c09b04adcf6141

        SHA256

        5ec581b64d2091415e6e3a6e0bb846e634a7f83918a965ef129dfb97bf210e9f

        SHA512

        dab8bd87a22cb4397c0196d05a97783fc7b442faa5d485dbdce0d02f6496a2f3e1147897019f5cfc185f8c0a413a667508ddc6cc02863c65800bf3a201ab6e40

      • C:\Users\Admin\AppData\Local\Temp\writeservice.bat

        Filesize

        226B

        MD5

        aff6285257f73b114174b04102c04735

        SHA1

        9e4a561dd7c8b8161a2720e375fc99ab02fc1b9b

        SHA256

        0ce4e59a2763ae7a92bd0e13d8716bf550085f0ac9f4cec0702a9c0ce30c03a3

        SHA512

        0c612f4cebcc0c319dc46e31111a78bde9a6a8d6700c6066bec679f8fa1cc813d819b8dc26de7a1f7f6a3407c73999814798c12c2e3507d9350686eeea48fada

      • C:\Users\Admin\AppData\Local\Temp\wserver.exe

        Filesize

        36KB

        MD5

        18ea3d4c9639a696b96e49f53af2b161

        SHA1

        5c1d4af865b4d514340d6a2dbb42523a142ab5d8

        SHA256

        690f5bd392269d80061e8e90a9aedac4f9bb2e898db4211b76a6e27a1ed95462

        SHA512

        fd6d79a533cb3fe255053e962fac882864be708b19b1c8922652e2bef4eda01ef209220ab06503adbbca047b833fb50ffac8fb66e490ce93e42d34cb9e51a892

      • \??\c:\windows\systemfile.DLL

        Filesize

        56KB

        MD5

        89de9c0ce214d2e437e2ce6d266ab100

        SHA1

        cebabb80844c823df4539f4db29d7bca27e1f50a

        SHA256

        7bd1016b5f3a5004166de5cf7f1846024684979de413417d83321c931c1b5929

        SHA512

        ed8ad8bb8b4e065fb890acf0dadaa494a2f03b8c76dca17c15141cfa9129fdd63b5f3e099195c806ef37c1f55ff5b8b82728c44b165bc06bdc270e3fdba8eeed

      • memory/2004-4-0x0000000003E30000-0x0000000003E31000-memory.dmp

        Filesize

        4KB

      • memory/2004-3-0x0000000002440000-0x0000000002441000-memory.dmp

        Filesize

        4KB

      • memory/3260-32-0x0000000000A00000-0x0000000000A1B000-memory.dmp

        Filesize

        108KB

      • memory/4156-27-0x0000000001080000-0x000000000109B000-memory.dmp

        Filesize

        108KB

      • memory/4564-14-0x0000000002930000-0x0000000002972000-memory.dmp

        Filesize

        264KB