Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/07/2024, 11:55

General

  • Target

    3902fb6501b383e7fcc63451f367fd82_JaffaCakes118.exe

  • Size

    47KB

  • MD5

    3902fb6501b383e7fcc63451f367fd82

  • SHA1

    1e9b6f1b9576088752145acff8f739ad0298bcf4

  • SHA256

    7f7a9c096197c86ed030441ae2170856a86b7987cbdc03e6dd6995eb477d4637

  • SHA512

    5f5340e59b444af7f69e9b678ede4f0d28c42b896e7d0dc7ff0f8a94c09c9fb533e08f376e7f77447f1e06cdd5ee10f1f73f115971fdbcbe7bf4adea6993ea32

  • SSDEEP

    768:oTMegW662heGq+Uh6oiswwlMPBoYyNG95zKQKuvH24BVRuSwX7cwJ44rOg0:oTTJ32AV+Uh6Of06Fw/xvTbuSbwa4

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Modifies WinLogon 2 TTPs 12 IoCs
  • Drops file in System32 directory 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3902fb6501b383e7fcc63451f367fd82_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3902fb6501b383e7fcc63451f367fd82_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:908
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\3902fb6501b383e7fcc63451f367fd82_JaffaCakes118.exe.dat",E
      2⤵
      • Loads dropped DLL
      • Modifies WinLogon
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\system32\__c0040AA8.dat",B
        3⤵
        • Loads dropped DLL
        • Modifies WinLogon
        • Suspicious behavior: EnumeratesProcesses
        PID:3708
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 660
        3⤵
        • Program crash
        PID:1972
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1680 -ip 1680
    1⤵
      PID:2692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3902fb6501b383e7fcc63451f367fd82_JaffaCakes118.exe.dat

      Filesize

      28KB

      MD5

      d6cab399910aaf612025a5ed1c1dc78e

      SHA1

      8b4797283e3c430caab29107c45320f61d041f3f

      SHA256

      c2038e6e0f53f785f755f8dcc855253af383ccd557c59e7b19b71ea4ec074164

      SHA512

      573720e0ddef76db718187b44d5a2404166074eeeeb9caa09fa5a2a933f96b3ec37e8c82c480c8586b5646373d0acb501ed05c17117158af4917c10733a33e18

    • memory/908-0-0x0000000000400000-0x000000000040DBBA-memory.dmp

      Filesize

      54KB

    • memory/908-1-0x00000000020C0000-0x00000000021C0000-memory.dmp

      Filesize

      1024KB

    • memory/908-10-0x0000000000400000-0x000000000040DBBA-memory.dmp

      Filesize

      54KB

    • memory/1680-5-0x0000000002AF0000-0x0000000002BF0000-memory.dmp

      Filesize

      1024KB

    • memory/3708-9-0x0000000000EB0000-0x0000000000FB0000-memory.dmp

      Filesize

      1024KB

    • memory/3708-11-0x0000000010000000-0x000000001000B000-memory.dmp

      Filesize

      44KB

    • memory/3708-13-0x0000000000EB0000-0x0000000000FB0000-memory.dmp

      Filesize

      1024KB