Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/06/2024, 10:55

General

  • Target

    15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe

  • Size

    197KB

  • MD5

    15bcae517e5be46a385c5c79994c6e6e

  • SHA1

    8d5a3cfa91d82f4f2c71ac7a277d4bb818959560

  • SHA256

    2489d37b356fda9b26a6fe9320e3ef0bec0e657da55fdb2c11d98b3c3e739ec3

  • SHA512

    8abaf8afa0030a44e5568fd0539a558975b1f7d7dbc1309085e20bcb2729e92949892c2d9762d75d013a2869e45f92d5d23e8ddfb7ee00bdb16a24f61e152e53

  • SSDEEP

    6144:8Gjx6PxGvpPkdRpRc6at6oHW9k1UJADkau:8HcvpPkdRpRcNtvzDu

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks for any installed AV software in registry 1 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Checks for any installed AV software in registry
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:620
    • C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
      2⤵
        PID:1340
      • C:\Windows\SysWOW64\cacls.exe
        "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
        2⤵
          PID:2956
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c echo ok
          2⤵
            PID:2844
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c "C:\Windows\system32\com\SMSS.EXE c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe^|c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2536
            • C:\Windows\SysWOW64\com\SMSS.EXE
              C:\Windows\system32\com\SMSS.EXE c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe|c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log
              3⤵
              • Executes dropped EXE
              PID:4464

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Com\SMSS.EXE

          Filesize

          20KB

          MD5

          a4089e292d473cc4bee6499633f75ac1

          SHA1

          e3ba401db3ad5df31eb2df48d539f0ace8bbafe8

          SHA256

          ac95862f70201a84124100958d2dced7d02100b2faef8a3e79fd739209552863

          SHA512

          39381d7e9bf788b7ebe0e6a8311e517abc2b8253d0d51ef6d62b8c213ff87126e00d75bcae06898f36cfa33763bd4aae0839bfb1ac6f69de39cf58ccea33aebf

        • memory/620-0-0x0000000000400000-0x000000000042B000-memory.dmp

          Filesize

          172KB

        • memory/620-8-0x0000000000400000-0x000000000042B000-memory.dmp

          Filesize

          172KB