Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/07/2024, 06:40

General

  • Target

    2f5519a0b51c9a3f491e56eedcbd615d_JaffaCakes118.exe

  • Size

    728KB

  • MD5

    2f5519a0b51c9a3f491e56eedcbd615d

  • SHA1

    15fd601d0ca00e8623742788e6e0e933e0fdf17b

  • SHA256

    4d12d1a83b5392d1c188d47409dfdb978fe2179bdcf18f77ee65ead254543be8

  • SHA512

    35e1743509119ff9b556978bdcda5a72142bf5b5e7d732282db41b43edd5ffc9836e4237c772e31244768489306f7c79e44c96fcfb248f008a5b86a9ee840be6

  • SSDEEP

    12288:z2/I3CMZC4u8YBbY5zgHWHmt8qMUmmcKDgGeItoEc9GspWZhASRXHYnrm/:z2QSmCrmgHCmKqMUkKlFtov9GsqRXHYg

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f5519a0b51c9a3f491e56eedcbd615d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2f5519a0b51c9a3f491e56eedcbd615d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5032
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\DirectDownloader"
      2⤵
        PID:2884
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C echo ifms > "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
        2⤵
          PID:840
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3412
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
            3⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:2080
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2964
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE
            3⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:400

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe

        Filesize

        7B

        MD5

        824ab679eea19c5b43b186800c2c625f

        SHA1

        f8b90bc89117ac4f1a272e7acef952a79a64b617

        SHA256

        f6d4a23bd6b412e4d4906cbd1c56dcbcf5ddd96b6a9098ceba96be94e52f7ab3

        SHA512

        e13bb9c005c2acb412916bf0f4a37b39c2800298042d5344b877143d1b767342903c9bb3e8d4eda75f37cc323b5f623d6bf34629d2c999c7df316de4ffd3caf4

      • memory/5032-16-0x0000000000400000-0x00000000004C1000-memory.dmp

        Filesize

        772KB