Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    92s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/07/2024, 02:24

General

  • Target

    2aa87ab5ce413830ff83425b4f6d14e1_JaffaCakes118.exe

  • Size

    505KB

  • MD5

    2aa87ab5ce413830ff83425b4f6d14e1

  • SHA1

    df013cd708885824b7ab72583c783684ccea93db

  • SHA256

    f83177f58f95776bb644a41fb46f5fb6be1eb75102396c74f0195e82e2ca93d6

  • SHA512

    bd5af7f527945ab0d96a39355b85deec0eb85f29ae39dc32cacf2cf7288e3cb6fe8566828a5163c7511cebf94eb29db1bbb3f085647f5741a4a0933b467fb646

  • SSDEEP

    12288:LQIbwgQ/hahneoN8LwIQMQa1nkGf4RDzDVWiewOdDP0:t7QahnMLHZQa1nkGfZBD

Score
10/10

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 41 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2aa87ab5ce413830ff83425b4f6d14e1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2aa87ab5ce413830ff83425b4f6d14e1_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4780
    • C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Windows\system32\oobe" /t /e /g everyone:f
      2⤵
        PID:2636
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s C:\Windows\system32\oobe\tpjpwzbiye.dll
        2⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies registry class
        PID:4692
      • C:\Windows\SysWOW64\EXPLORER.EXE
        EXPLORER.EXE /e,C:\Windows\system32\oobe\8010\
        2⤵
          PID:4900
        • C:\Windows\SysWOW64\regedit.exe
          C:\Windows\regedit.exe /s "C:\Windows\system32\GPBYUAESSQS.reg"
          2⤵
          • Modifies firewall policy service
          • Runs .reg file with regedit
          PID:312
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$306609.bat
          2⤵
            PID:4624
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2288

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\$$306609.bat

          Filesize

          182B

          MD5

          dc5f20b89d0f2b11423ebfc368b5d288

          SHA1

          97e072ae0eb671206add8a167dd7d0ea7a62502f

          SHA256

          4672f2ae6362dd096b60303106361ce34a6822fea8b23bc9afbccc6040bfcd33

          SHA512

          b0258099a03921f6dbca5e74fd1572c3c162463c1498fdc1ea374490cea42a7b10469003ad0dceab09b914d7f3de6d9eca7524003b7b36fa4a7f5eca3f9c3be2

        • C:\Windows\SysWOW64\42169a7e4d.dll

          Filesize

          139B

          MD5

          293b2d016db4c3eef608b9c061093cd2

          SHA1

          137bdda05b7597ed9d071a78618c03df519c9763

          SHA256

          6c88b08eebe6228f005f39565c99fdf5d8a134d7d54288899e794ef5e8f76f94

          SHA512

          a9b329d3e06a35d4e5cf7a16eb08690c2fa8f626f209f65aeb67e2db1317d0e4ce89e6dd5d9d2fd0c3bf3396030a0e950128fc3a3bfefe645e501327f5e3e246

        • C:\Windows\SysWOW64\GPBYUAESSQS.reg

          Filesize

          297B

          MD5

          99eacff177203b6f5128fe7d271857b2

          SHA1

          a9a43c162c27bc4382957f2b22fb48b0dc17bbfc

          SHA256

          d1d5136acd329ef64ce9877cd390727d94b9849bf4ae77e8d0cdd05780259b98

          SHA512

          2df1be0702be6794081979abe953529c7968170c09349a3b6f4e66f643954dd2d5b1bc8cd233792313a322599177186c881c84bd5b974c2d0b816678d4e5fe03

        • C:\Windows\SysWOW64\oobe\tpjpwzbiye.dll

          Filesize

          550KB

          MD5

          31bf4c2449568a7fa89301efd67dab86

          SHA1

          a355a8d5b6cc40f447595b83ed806c57e012c1d2

          SHA256

          c00d8b8f30f77f39ebdd7f2f70561c059259e23d85d6654f4cb0462af7a6c393

          SHA512

          387af479a7cf4f5935bbb62863604d5e38a45aca97aeb2931770695f8c8e7fd8900446e9dad549a470faf3cc7146d168c1122a42060d8758b2b22f52624ad45f

        • memory/4780-22-0x0000000000400000-0x0000000000566000-memory.dmp

          Filesize

          1.4MB