Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 00:28

General

  • Target

    3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe

  • Size

    158KB

  • MD5

    3b51fab717e281580abca9c62aaa9685

  • SHA1

    74cd77630ace2fa629405f0665f34f1bb86419c1

  • SHA256

    3a309f51d3e4be8f3581b3e83534e19bfbdb1c002f57356ff84fbe4779a3504e

  • SHA512

    41502d14ccb5c65aa72aaea0f91b4f7defe4f1293fed54d1ce9193d77884cb068943560c07f0118fbe0b92de09fab6cf0b2d1e7059ddf2ad9349d41dcee33d3f

  • SSDEEP

    3072:/23lko29IApHuGPdsNjMb5LjZpTSNLjXTp2zEVZNNSdAXb:/do+FuGPds1cLjLSBjDpUEzNNS+L

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs net.exe
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4660
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
          PID:4336
      • C:\Windows\SysWOW64\sc.exe
        sc config wscsvc start= DISABLED
        2⤵
        • Launches sc.exe
        PID:4056
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2352
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
          3⤵
            PID:1088
        • C:\Windows\SysWOW64\sc.exe
          sc config SharedAccess start= DISABLED
          2⤵
          • Launches sc.exe
          PID:4436
        • C:\Users\Admin\AppData\Local\Temp\rt04lto.exe
          C:\Users\Admin\AppData\Local\Temp\rt04lto.exe
          2⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3284
          • C:\Windows\SysWOW64\net.exe
            net.exe stop "Security Center"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2932
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Security Center"
              4⤵
                PID:1576
            • C:\Windows\SysWOW64\sc.exe
              sc config wscsvc start= DISABLED
              3⤵
              • Launches sc.exe
              PID:2904
            • C:\Windows\SysWOW64\net.exe
              net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1652
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                4⤵
                  PID:1704
              • C:\Windows\SysWOW64\sc.exe
                sc config SharedAccess start= DISABLED
                3⤵
                • Launches sc.exe
                PID:3108
              • C:\Users\Admin\AppData\Local\Temp\rt04lto.exe
                C:\Users\Admin\AppData\Local\Temp\rt04lto.exe -d716208E23EF9D708CB3A634430743C392DB8CDBD85E7C70E3559F88E78AED2BAA8D42B3684F8FEA06D19379885BBCBE3DD1EAD451AB1663A3A034E324F30C1B37C35C36C7971E90554158EC9609B959F6B5C410DA415FAFAEA58EE8659ADE7614017DECCF5EB0DBD1FD986D16CAF9ECBC875B68599C21B2C89AB145AE09F66D78492C96012501FCDB1807A2990552DAD26CB7A7AB44E9BCB970C3E616CB2A67B197C116C285C140D2B7C0852F769C759F69D398AECC99128D4D928A7C7834AAC106F8290D19D20DCEC9C0E9408992F67E957E0A57C3151DE42A1CF5FF93F38EFBA062A26E654BA0B9796A7366DA76B28EFDA9CB5DCAF71C5229272FA4CB794FFA84656FC800895210DEA310D0F46C1073999DBE2C6E9C55EF5C28BC348E5C4FEABE79364F7BCA79A6D534A351806B55939EF49F331B363517C4FDAADB6CF6D10D494AD14E539258E1AC0CDEEEF210BD7A083D3B158999FB7B75559FEA0AF73F775F6B2F52371845CB55CD8BC3E3FCA595E93A6F5B3390E6CE9A3481E4FE3FC181D29EF30CA93799A1D7BC944EEEE3691A5443004FBC986F8911C21474B446D7D9F14F1873290F9AC75E2
                3⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4600
                • C:\Windows\SysWOW64\net.exe
                  net.exe stop "Security Center"
                  4⤵
                    PID:1700
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "Security Center"
                      5⤵
                        PID:3600
                    • C:\Windows\SysWOW64\sc.exe
                      sc config wscsvc start= DISABLED
                      4⤵
                      • Launches sc.exe
                      PID:3276
                    • C:\Windows\SysWOW64\net.exe
                      net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
                      4⤵
                        PID:4504
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                          5⤵
                            PID:4480
                        • C:\Windows\SysWOW64\sc.exe
                          sc config SharedAccess start= DISABLED
                          4⤵
                          • Launches sc.exe
                          PID:3296
                    • C:\Windows\SysWOW64\Rundll32.exe
                      Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\mdinstall.inf
                      2⤵
                      • Adds Run key to start application
                      • Suspicious use of WriteProcessMemory
                      PID:956
                      • C:\Windows\SysWOW64\runonce.exe
                        "C:\Windows\system32\runonce.exe" -r
                        3⤵
                        • Checks processor information in registry
                        • Suspicious use of WriteProcessMemory
                        PID:3888
                        • C:\Windows\SysWOW64\grpconv.exe
                          "C:\Windows\System32\grpconv.exe" -o
                          4⤵
                            PID:3364
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\g9ngajqf.bat
                        2⤵
                          PID:456

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\g9ngajqf.bat

                        Filesize

                        218B

                        MD5

                        bc686b5b5dfc9fe33f1b9298988ffea4

                        SHA1

                        0f4aa7406da22b81e1e8c0413ede8f4d6077e063

                        SHA256

                        134c6b80d275afa3ab4e52fd85b5cfe4e202fd2b52416c64b6b6a435712d9816

                        SHA512

                        6b425aad3c7d98083f2e0d0e817939a8617f2a6c89c50a5de942b22945b88a5e80f5fe43425ff2dbdfb83de83b9eb32714070f6abd9d1cdbd5e10f5e97ba6335

                      • C:\Users\Admin\AppData\Local\Temp\mdinstall.inf

                        Filesize

                        413B

                        MD5

                        ce1f2d7c8e36f3c085a5d281b9ebeb2f

                        SHA1

                        bbbfae948d625afe50f66f34282bda3974cfdce5

                        SHA256

                        312239a5c6333e6d1e8ba9f0e81856c37347be0f21d194741ae1d25538cd130c

                        SHA512

                        89f69b88bdfb391f58abaefbbae7e393571709c0ea6a268794c035200674ad3a8615a65944373559aead87e8d5ab09f334e2b1563c1bde912aa26a485b76357e

                      • C:\Users\Admin\AppData\Local\Temp\rt04lto.exe

                        Filesize

                        158KB

                        MD5

                        3b51fab717e281580abca9c62aaa9685

                        SHA1

                        74cd77630ace2fa629405f0665f34f1bb86419c1

                        SHA256

                        3a309f51d3e4be8f3581b3e83534e19bfbdb1c002f57356ff84fbe4779a3504e

                        SHA512

                        41502d14ccb5c65aa72aaea0f91b4f7defe4f1293fed54d1ce9193d77884cb068943560c07f0118fbe0b92de09fab6cf0b2d1e7059ddf2ad9349d41dcee33d3f

                      • memory/2368-0-0x0000000000400000-0x000000000042A000-memory.dmp

                        Filesize

                        168KB

                      • memory/2368-16-0x0000000000400000-0x000000000042A000-memory.dmp

                        Filesize

                        168KB

                      • memory/3284-7-0x0000000000400000-0x000000000042A000-memory.dmp

                        Filesize

                        168KB

                      • memory/3284-22-0x0000000000400000-0x000000000042A000-memory.dmp

                        Filesize

                        168KB

                      • memory/4600-23-0x0000000000400000-0x000000000042A000-memory.dmp

                        Filesize

                        168KB

                      • memory/4600-24-0x0000000000400000-0x000000000042A000-memory.dmp

                        Filesize

                        168KB