Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/06/2024, 23:00

General

  • Target

    0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe

  • Size

    702KB

  • MD5

    0394186c7c72386cbdb20492e62c6500

  • SHA1

    6bfa90ecbc280224c3fb49e90e04b1d4b055fe27

  • SHA256

    9a64117f2e2c9485cd3ed8ecb656b2f6953dad5da3120c72a75b6f47e0ed9582

  • SHA512

    e36519d8984e8b5e4699fee127582853e9ab11e0d169421f64cfcc9945569892246255afc78ef1431eb1498f0be79542ae96dbad9c6dad63afffcd11cde69117

  • SSDEEP

    12288:GDQAF1KvlY3wFUHrjLGawM29tyDnJYJpYxTCCzOdFZ7miHGj8/SGl:GDQg1Kv6KUj8GnJKMCDv5miHjSI

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 28 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2620
    • C:\Windows\SysWOW64\EPSTP32U.EXE
      "C:\Windows\system32\EPSTP32U.EXE" /y:"C:\Users\Admin\AppData\Local\Temp\0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2484
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1852

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Windows\Templates\EPSTPLOG.TXT

      Filesize

      3KB

      MD5

      a7edd7812ddc40ae1c213def66681225

      SHA1

      5ddc1a9a906d18de27eba55668ffdc093e16a46a

      SHA256

      571a8ffe328949e50dde72e5d638a62311822f962daf112ed5c5e91b48fcb5bb

      SHA512

      4e142f04773f8d90019975bab973760bd72f9b194ed0b809309651bb5742e0c3ac2acef93c66400d4c81688ee104d6ce3d2f1197a8badaa11ce19fc27655767c

    • C:\ProgramData\Microsoft\Windows\Templates\EPSTPLOG.TXT

      Filesize

      689B

      MD5

      c88c46d0516acbdc0ac5fa1d38717904

      SHA1

      4aa10e407705cf842af426aa42959f17fdf95c6f

      SHA256

      10745d7066d0881519112ecf4f743b6e9ffbd2ef50f69813bfe993929e1fb24a

      SHA512

      db36705b490e073856aa345a7cce257a3b1cb69027ccf824bdb5083685c765837b7514549d2c153183a7849d3416dd091d9b46d2a0a0553b8875df7ac7613cf9

    • C:\ProgramData\Microsoft\Windows\Templates\EPSTPLOG.TXT

      Filesize

      2KB

      MD5

      baae8837643a6776be1bb8ffecd78492

      SHA1

      06ca67a366da52f2be5a9dc1363a4c2c4d4b92b9

      SHA256

      a58d16b690edddfbb37cc1fd7683677619e4439c7e278878412235a3a31b3d62

      SHA512

      a07847c2d45de1e73f1d777923433341d3f51220164bb41b93f495e3976316681552bc1d128cee1451f64648465e69b9b484d04d881a4bc6e539fb99b5e69790

    • C:\Windows\SysWOW64\EPINSTU.EXE

      Filesize

      112KB

      MD5

      5df3b7a6b6f83861d41c847037c93118

      SHA1

      59705676710abefebec2bb6871a17ff05cf6702a

      SHA256

      411c8491eb1920e10e2c82d42144b69936a68d7e855b9bd81b70972ffac329f3

      SHA512

      82dec648b4b8e7e58e98c8516428cedd6fba7b779a265982e1ed5edd172cdae3c908887cfa23132ffe4c1d9ea1a3dd805f7a3183a06000752f0263fefee725fe

    • C:\Windows\SysWOW64\EPPRTDRV.CAB

      Filesize

      309KB

      MD5

      67a0b01c451056770898457eea2aad4e

      SHA1

      bbd62df0c276e335f241327283319406bca76165

      SHA256

      7263dbaee78e58c52bcecfb8575b56d3b8419b8ff840a5321c28ef8f05277ecb

      SHA512

      09a8ea990e42739bf777510efea580571156a613b1ab2e9b61e0c9831c366deede54e1edb37dae0d92960a9cec2629fec00d8387510f627ac4b799d4023be606

    • C:\Windows\SysWOW64\EPSETUP.CAB

      Filesize

      439KB

      MD5

      45699880ea5657b5b059421ebcfe1e9b

      SHA1

      483336527eb55fd6ec4799c0aa6ee64680546684

      SHA256

      61dae9e0810490e1e40571f47143b000b99199828f9282f672bbce72c4e35a91

      SHA512

      de291d917b2e66c3773c62df03631f7db6574cf1d0ab439484296a77c904bdff2e5a55636155667e144857a5be705c0c63910bfb35a7344c5842179fd4ab5190

    • C:\Windows\SysWOW64\EPSPTDVE.EXE

      Filesize

      404KB

      MD5

      9b4553d9f3cfe7b996599a4d1e3266c4

      SHA1

      f3e4fed90f1d3839ca356103e23eb134cc44aae0

      SHA256

      d228107a2ea127e6c5a941c7e95018de142481a38def891b4670d831f4fcde28

      SHA512

      6d97b15fc6be882b07c48bab71ef0333cd1e1dac85155de4cf8d85facd70be76fd8009c3b4737b56ef52bacebc4642ca16fb91a6df9a2fad9aa9ea660f5b43ce

    • C:\Windows\SysWOW64\EPSTP32U.EXE

      Filesize

      888KB

      MD5

      eac0e672b5bd7ccbe55f8d38ab868453

      SHA1

      79e433f17b9e0662d36198887f370bee62559e47

      SHA256

      a5cb81fb252798c4090f46ffb040b223cd9dbf7b666c6979f7646869d1edf34c

      SHA512

      587ff1522b22eb12b32aa76bbe2746cc2c1b5651f812b8af60f1a089411987f95849c2e4e0061ba98c1c191bdbc1b41f7b89f4fb7406c2e20a01d2b7ace21c5b

    • C:\Windows\SysWOW64\eps_icon.avi

      Filesize

      8KB

      MD5

      67ebc1d5e2bab0c2d85406eb19cc85dd

      SHA1

      a6bae9685e79c77e7a9908ce053fe498fb2a6be3

      SHA256

      8eddab93591333f7e58e5d4e5597c12fbe220095b4ecfc6e4a5a591a464e7ac8

      SHA512

      6690ed68852272826d09544ea4716120fc117a560ce66a67e012f49a72e04706fc24129b10651404ba3f3cd118b74eeb1123a655856ab17bbaa4b2f585f47600

    • C:\Windows\SysWOW64\epsmtl32.dll

      Filesize

      436KB

      MD5

      74137d804726fedc903657e6865b7d54

      SHA1

      270316a43a5e4c2f725c3fd33acd8e762ce4d825

      SHA256

      3c1a632eed70e14225c2e96516f6d9201fd5da06a9fc8688a2aeb68e2ca09bef

      SHA512

      cf636a274fe8eb62345cfaf98038367be4a4111b8a9891abd90cc5b4c2e3889e650481639de9f11b3affe3db117b014876c7c5026989d592b4f8a8c0227c66bf

    • memory/2620-0-0x0000000000400000-0x00000000004B1000-memory.dmp

      Filesize

      708KB

    • memory/2620-152-0x0000000000400000-0x00000000004B1000-memory.dmp

      Filesize

      708KB