Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/06/2024, 05:48

General

  • Target

    1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    1902d2fb07fd303208824e070a491a14

  • SHA1

    c8d4f562bb1441188a33401c736e95c87d9fae8f

  • SHA256

    05d4d6d0f15dec78b1b4a418b8081b720245dd92f09fb32f4f69c6af9d39a8df

  • SHA512

    0a21e11de4c87b814f8817338c272ca33b51c7d9472d6bf849a9dec423eb4738eb2fd26c59f918e72f898d71c5c7383e8829391dcd2931f511e0cb16ed64200b

  • SSDEEP

    24576:w/Af7uuZB2MiMKLv7kLxOPdERHrqPiBfhcvLMc2h:w4CuZhiv6gP8H+4c2h

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Users\Admin\AppData\Roaming\defender.exe
      "C:\Users\Admin\AppData\Roaming\defender.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4160
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 588
        3⤵
        • Program crash
        PID:1952
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 588
        3⤵
        • Program crash
        PID:4100
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4160 -ip 4160
    1⤵
      PID:1776
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4160 -ip 4160
      1⤵
        PID:1912

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\defender.exe

        Filesize

        928KB

        MD5

        aa22e20b540eb40879f1749c3c36ee0f

        SHA1

        20aecb3226fc7dc485e86364b79b6fd4fc32b6a8

        SHA256

        c50aad64113a8b46b780ed4c8b10ead9eee0fbf7bb76caa6f8de3ca9cda6f389

        SHA512

        a53c9864f096b742556cd54c5f8f4824054f8139ee9e63d0b7b0afce612e9548da742eed355adfc27a6419912fa0e3e34297a395810d899fd5a398a7348f965c

      • memory/4160-23-0x0000000002EA0000-0x0000000002F83000-memory.dmp

        Filesize

        908KB

      • memory/4160-25-0x0000000000400000-0x0000000000A6C000-memory.dmp

        Filesize

        6.4MB

      • memory/4160-27-0x0000000000400000-0x0000000000A6C000-memory.dmp

        Filesize

        6.4MB

      • memory/4160-26-0x0000000000400000-0x00000000011C1000-memory.dmp

        Filesize

        13.8MB

      • memory/4256-28-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB