Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/06/2024, 04:02

General

  • Target

    149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe

  • Size

    422KB

  • MD5

    149c09929cb0db3cc3a58f1501a3c9e7

  • SHA1

    54529f323a5127c675e56fd9f1a22b3d0254eaed

  • SHA256

    7ccea256efc12bb1bdf6bfc282840b8722a4f621ee9649a43f93bcbf6a937746

  • SHA512

    36eb5950e45e48d471bbb45335099451fdef3cd40934dbe79a935ad71230a210389935886bc99380d4d575985e7eedf5d5194fb413fa27e788fb27f148495738

  • SSDEEP

    12288:n5lVkUbZIRQm2N43IEvK+S2f7W8fNUr6:n3VkUWR52Yv22f7WSNUr

Score
8/10

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 39 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3468
      • C:\Users\Admin\AppData\Local\Temp\149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe"
        2⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious behavior: RenamesItself
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1664
        • C:\Users\Admin\AppData\Local\Temp\AUTMGR32.EXE
          "C:\Users\Admin\AppData\Local\Temp\AUTMGR32.EXE"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\AUTMGR32.EXE

      Filesize

      422KB

      MD5

      149c09929cb0db3cc3a58f1501a3c9e7

      SHA1

      54529f323a5127c675e56fd9f1a22b3d0254eaed

      SHA256

      7ccea256efc12bb1bdf6bfc282840b8722a4f621ee9649a43f93bcbf6a937746

      SHA512

      36eb5950e45e48d471bbb45335099451fdef3cd40934dbe79a935ad71230a210389935886bc99380d4d575985e7eedf5d5194fb413fa27e788fb27f148495738

    • C:\Users\Admin\AppData\Local\Temp\mschrt20ex.dll

      Filesize

      323KB

      MD5

      99e35419b3bdb25033888c6edf8eb1ec

      SHA1

      ea8cd2af81d02954deda773f0f1c1fd6d24d5908

      SHA256

      d0cd588a0475791947fb728c94d25a6c9e5ffb14d08959611c4dd4d118a8a266

      SHA512

      14f7adc1891c2d914e65da0fefeac5d1223304409b076d00869b068674104b0b03083a11742851739be559f0e6c9e09effe99cbcd2a1ae6936897506cf52e16f

    • memory/1664-0-0x0000000000400000-0x000000000046FC00-memory.dmp

      Filesize

      447KB

    • memory/1664-11-0x0000000000400000-0x000000000046FC00-memory.dmp

      Filesize

      447KB