Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    125s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/06/2024, 09:57

General

  • Target

    04f28f8bc08ee9a07052713b813e5ea4_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    04f28f8bc08ee9a07052713b813e5ea4

  • SHA1

    ffb811af29ced07121e8985481e39fa650979b9d

  • SHA256

    46bb10b0974c71eed792c5fb84e67a7011427b5814cef38e1665de1e7842cbf3

  • SHA512

    217997494edc392ed7ab751a7b2f26063a8efc3c17f112bc7f32ca91aa511dfe9b52ef8dbae25943713be89609d20b4b03a42e04cf0b04053b07f03ef9fa2a42

  • SSDEEP

    384:1Bo/tghaQ3NDoPYGWt7sAQuvKWuAVFYlGf80B:1BmtgDqfWtsA9oAeu

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04f28f8bc08ee9a07052713b813e5ea4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\04f28f8bc08ee9a07052713b813e5ea4_JaffaCakes118.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\67EC.tmp.bat
      2⤵
        PID:3448
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8
      1⤵
        PID:4412

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\67EC.tmp.bat

        Filesize

        207B

        MD5

        35b0143c95bf3f17c181a8869be10198

        SHA1

        23b929a2ecb8fd8e7e7979ad5ddb7f769445a185

        SHA256

        a9612c3432db166c5fb2a53e30ac5205223b19a3fca790e87f0cac52415b7a99

        SHA512

        d96346333021e6a5cec1770f29de67bcd9c38fa5e87fb47b3f9ce23910dbf9f29287cec2ec3bff79b4488a423514850e12e3b82cf7af0d71f55f1a232eaae8d6

      • C:\Windows\SysWOW64\lweurqhx.nls

        Filesize

        428B

        MD5

        cf948e1aff20b24cf98392d3cf768762

        SHA1

        61d9942dab590f5184ef8291178366a305be72b4

        SHA256

        f58dd2d67d97f26968b8d9c24c2f616d8d5d69840443e87e715a700be7ef3d33

        SHA512

        94ef3b727fc9145019dca7da4639e909d250199b89f7535b481e5a059676762f211485b2bd6b823da3c3b7d55cd5e18cd10627878b6e77e860bcb73d0aae68f4

      • C:\Windows\SysWOW64\lweurqhx.tmp

        Filesize

        687KB

        MD5

        f742f9a61fde96c0709274b1a27e1e05

        SHA1

        eb0e7b4e1d5936bacc35848e1341fbbc1f4d4675

        SHA256

        ab6af2af54d2456c933401ea30a204bc1a32811986f45bff7d4fb5deddb93119

        SHA512

        4cc5b530a6b53b3a3fbcf8dbcdc054762a8a22937fa016a5d121c04dcf46eb2c34544a6714dbe3d5203a7ae7680d8406223a30ec4f439804f9ef4c4bf428b99a

      • memory/4372-17-0x0000000020000000-0x0000000020009000-memory.dmp

        Filesize

        36KB

      • memory/4372-21-0x0000000020000000-0x0000000020009000-memory.dmp

        Filesize

        36KB