Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/06/2024, 19:17

General

  • Target

    131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe

  • Size

    572KB

  • MD5

    131ff135d3cbadbe59f927d662f8dcdc

  • SHA1

    30e8e955a61cf6f197f1e58ae9e769ffc82279c6

  • SHA256

    fbd2e2e9a43788994e7bd9f0f34240668a79c841a8c919ee79b8fcc9fda93dad

  • SHA512

    c504a3a66012c9a12cfd86246456e191e81ca912f6f5b80ceb8b8d7e41df19904880869a0a7d1da73cfa71ba96d8088a885d10c184efa5a24248d87015066448

  • SSDEEP

    12288:D2iwn/ND7S3xI66S/H3UyKxWn2hJ+MRmhhh:D213Sed0Xjh

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • UAC bypass 3 TTPs 13 IoCs
  • Adds policy Run key to start application 2 TTPs 29 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Looks up external IP address via web service 9 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3464
    • C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
      "C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\131ff135d3cbadbe59f927d662f8dcdc_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1792
      • C:\Users\Admin\AppData\Local\Temp\vjioylo.exe
        "C:\Users\Admin\AppData\Local\Temp\vjioylo.exe" "-C:\Users\Admin\AppData\Local\Temp\urzohdpduirlnhhy.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:3496
      • C:\Users\Admin\AppData\Local\Temp\vjioylo.exe
        "C:\Users\Admin\AppData\Local\Temp\vjioylo.exe" "-C:\Users\Admin\AppData\Local\Temp\urzohdpduirlnhhy.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:3080
    • C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
      "C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\131ff135d3cbadbe59f927d662f8dcdc_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:4560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\hrmoudcdhielahuytjjtoqwfe.jkg

    Filesize

    280B

    MD5

    74a20c46b346f1c4548fa06a8a8b5f38

    SHA1

    5b0a674a7072d18e6cefb5f4c6bc34487509e560

    SHA256

    91291fc31bdb3ef362cadb5ebf1c8bd8fb44bd95b2a86de21e27156d2fbf5742

    SHA512

    ad45c60195d7697c4aae12e75b066d0421fb30dda161c6820bdff4b0e24e79ac7af4532aba3fc350229ee55fda00fd896b13b2278845ded6df7dbd0bddd47b5a

  • C:\Program Files (x86)\hrmoudcdhielahuytjjtoqwfe.jkg

    Filesize

    280B

    MD5

    8081c05b7cc4ffb8ec3806b806b3d2a6

    SHA1

    3c316273bc6641f020ad60f394c4379228dbd31b

    SHA256

    8701d0d07fe10c37f379eaf019280f4b0e35255cf3071a935866d7921c8041f8

    SHA512

    70bbafc7a76e2fcb8c401f43b9376d4b48e50f19cb54c9bfe914a40a1e50ec93ba7f067f401ae95b27b5bf33aab34ad7218941a1c459c8dadd618c6e30f22dc7

  • C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

    Filesize

    320KB

    MD5

    915dd43f473ac655dd4e7ebe75cc2d68

    SHA1

    037c49c1ce90c9db0895985286b9edc59f60646c

    SHA256

    129e8fbc49b267ee3f1190b4f02fde33949363986ff50f7efa403c40daf16645

    SHA512

    51196244ac9ec5715d71447b8137ae1b9e921382aa5fa39d30a2d8dc81fc68ea5442731a25f8014d94daf774db9c9397836b67ff6225336a2fa144c653045260

  • C:\Users\Admin\AppData\Local\Temp\vjioylo.exe

    Filesize

    704KB

    MD5

    5c1a5a0dc1b7b29dd20ce0851af0a820

    SHA1

    dd2ef956742ceae35711c84973c1d3b7b2f927df

    SHA256

    d0b3f62b886e7475ded0b874d81f5ba25595ad88756f7317762020714df36963

    SHA512

    38e63837c053a7947b28d8e58e7ca6846fba61676197bfeb13a9fbb4f7da2226d9a89294fc916122359e948d6efdf3bc418e579c141bcac2ea74eee9fd295e2e

  • C:\Users\Admin\AppData\Local\hrmoudcdhielahuytjjtoqwfe.jkg

    Filesize

    280B

    MD5

    5d6ce8eb3ff4aca2a289ca9784d6c3c6

    SHA1

    f916e61b84a7e50b7b56eeb66aa28971007d3191

    SHA256

    eb31a484172b19ee36b7d44999bf0601da5d25125be7443c7ea010b188d3ffba

    SHA512

    07fd5edecb25b175fff5d9a813e5d4fb80d4b6c165f8ec5eaf36247dc30c5c95a54b9663c47aa0042f87f6cea98ef0fd85ddc5f24d1c04c9e7c94dca81748ff2

  • C:\Users\Admin\AppData\Local\hrmoudcdhielahuytjjtoqwfe.jkg

    Filesize

    280B

    MD5

    9c47e3d80e531d3e277355ac9d68cd9b

    SHA1

    6b585e60c792f3320649e1fb827196343b7cf53e

    SHA256

    286c36d873f9f9e18efcc37bf0177176aa560bc4ed3c079e3ac78166d711daa9

    SHA512

    f505ec195736b040d242cef9ac6bca20ee179a2dc4a07d5d817d8d08adfae273871e0cbbaf23dcbf5b7f28e5d988f8dbcb1971b24c1d4a6dff536815d5677343

  • C:\Users\Admin\AppData\Local\mhnarlvhwiphhzxmstezfsjdnzoahzzrpekl.rxk

    Filesize

    4KB

    MD5

    2461db9bea8f88ef430ec74fb4cf7f41

    SHA1

    5eb8ada2591152a82631e47d90d01002d869ca3c

    SHA256

    b0ee3ec168fd1952c7bca2894b87f7a732fa2fadbe9fdd40fcc857829234eb21

    SHA512

    3be4c2f3bfc8c25f20bebf5951cda939695106e2f5491584a45e06503f8dc2d2401d6bb5ad21debefed4f50cfe21dbdb745eab53462712266ca991c967e56612

  • C:\Windows\SysWOW64\kjtkfdrhaqbxbxzsch.exe

    Filesize

    572KB

    MD5

    131ff135d3cbadbe59f927d662f8dcdc

    SHA1

    30e8e955a61cf6f197f1e58ae9e769ffc82279c6

    SHA256

    fbd2e2e9a43788994e7bd9f0f34240668a79c841a8c919ee79b8fcc9fda93dad

    SHA512

    c504a3a66012c9a12cfd86246456e191e81ca912f6f5b80ceb8b8d7e41df19904880869a0a7d1da73cfa71ba96d8088a885d10c184efa5a24248d87015066448