Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/07/2024, 17:12

General

  • Target

    3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe

  • Size

    397KB

  • MD5

    3a07dd3c3102cae3b66a616691b39ca0

  • SHA1

    f5352fe5a8ab47f0dff31bd89c295b63ee5bfd51

  • SHA256

    d018bb082d0d768a09a8259bac61bea1f356476ecc3242107ab8241e7cb5fea0

  • SHA512

    194770ebe7633a53ad0cfbd7f8e76f6a5e2d3519891e877a407d7902e8a5f4581fea3869642efb5646bb90665116ea216d04aefb3a90a81eea6ecb96fb772b0b

  • SSDEEP

    12288:yk1Z/NVy6ixxrno8nDzu8MOH8qLsAQsnY:3NVixtDzIOHLTnY

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 4 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4020
    • C:\ProgramData\mlencXAGoFP.exe
      C:\ProgramData\mlencXAGoFP.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Users\Admin\*.*" /s /d
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:4312
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\ProgramData\Microsoft\Windows\Start Menu\*.*" /s /d
        3⤵
        • Views/modifies file attributes
        PID:3980
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\*.*" /s /d
        3⤵
        • Drops desktop.ini file(s)
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Views/modifies file attributes
        PID:4676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\mlencXAGoFP.exe

    Filesize

    397KB

    MD5

    3a07dd3c3102cae3b66a616691b39ca0

    SHA1

    f5352fe5a8ab47f0dff31bd89c295b63ee5bfd51

    SHA256

    d018bb082d0d768a09a8259bac61bea1f356476ecc3242107ab8241e7cb5fea0

    SHA512

    194770ebe7633a53ad0cfbd7f8e76f6a5e2d3519891e877a407d7902e8a5f4581fea3869642efb5646bb90665116ea216d04aefb3a90a81eea6ecb96fb772b0b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

    Filesize

    5KB

    MD5

    859f0b6d1d2dd4d8c2989a8f4f667186

    SHA1

    bdd75a83d189dcaf4f52c278e46e820e9c14eafa

    SHA256

    a8bbdaa01336a6015a799e5e1616b877eadc3a14afac2eeee575df23ad302b72

    SHA512

    14ad175f1b3e5c6fce2ad94128ca3aa337b2867178f6c6d0a5d5f152c8148e4358372241e8020d1bc822598af04d80d67717da74d86efd7d447a21a080247ad2

  • memory/1924-6-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1924-7-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1924-10-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1924-27-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1924-28-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/4020-0-0x0000000000560000-0x0000000000561000-memory.dmp

    Filesize

    4KB

  • memory/4020-1-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

  • memory/4020-9-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

  • memory/4020-8-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB