Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2024, 01:18

General

  • Target

    2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe

  • Size

    208KB

  • MD5

    2423171cb88f7063942c4d30dd8f76db

  • SHA1

    f506f4a108ff0ad25cf4bbd8f4dca01cd84ef675

  • SHA256

    b0385b4e7a5f9723398549305185fb246a13135bfd92574e8fc64b75a11be53a

  • SHA512

    1df92c7f851ad254381006d3239159451a48fec5ba14516692c055e6014db07f172812a53ae3d20943e8b788d693e175808350d265498674d267809ca8a6539e

  • SSDEEP

    1536:PDlTsrr7iKpTdx01CninHK0BtUwQTSO3uhldDNhJahnZfh972/n9KEsquXNangJi:9SK2/0Un0K0BLvO4nDmokSto2

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\WINDOWS\system\pm.exe
      C:\WINDOWS\system\pm.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3164
    • C:\WINDOWS\system\pt.exe
      C:\WINDOWS\system\pt.exe
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4652
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\dele573856.bat
        3⤵
          PID:560

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\System\pm.exe

      Filesize

      168KB

      MD5

      646c4713aa658d4dcc175efd717f71e8

      SHA1

      33aeaf80c541fca2a49883bacc1c0d4ceffe9b0b

      SHA256

      66b832132dd451af542aa875297cd63c7609d6efe2760eea38298e370c94478d

      SHA512

      aab93f9c9009b08a582cc0ccaef623c94a98b83fd2f53aa23f8476ee686bcde1ed49e9e27f7b1d69f3e9f7192ea2453e120991046a567029a9e3980af58cd61d

    • C:\Windows\System\pt.exe

      Filesize

      13KB

      MD5

      90a88f8901863fb5cd511bec0573ea73

      SHA1

      9f613a65246230ffceb9db77165219686d00bb03

      SHA256

      f68b882a136314c5263b7f8b0e348cc00be742273302e315d570bc0389b2b803

      SHA512

      28e3595c295b2a8de2661eaa1de7b4837e5da5ca5ab59c9a16f3527b3e1d8f7af05f069a206275b2bee2ec257f85267232a83023d9ef091a3db2020bc14c7ac1

    • \??\c:\dele573856.bat

      Filesize

      115B

      MD5

      4638ab4058e6ccdd8a7a87fa1a8de930

      SHA1

      b1cd02b98ace9249e32286d25fa72ffc0bae0ba7

      SHA256

      c252fa28eb1efaf195dc2e9d90e0f9ca320a5f4eb63114e07df62992231ec60a

      SHA512

      1b518965c681c983e69c3de9643680521ace5b753233a60f6d2e364357404c4efa9fffad6062630ef3e2b54fd4d4e2f61a9e9681c7707a6e0d871cb8452be581

    • memory/4652-12-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

    • memory/4652-30-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB