Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    91s
  • max time network
    92s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 00:33

General

  • Target

    3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe

  • Size

    165KB

  • MD5

    3b54de624a842bbb116c6189c8f94551

  • SHA1

    9157e6d1c2b7057f8e352178452bf69f9d479c63

  • SHA256

    d6eb57fd34c3a527d60dfa22c2f1850bfdca618f978a4bb319c8b01571eb6ff7

  • SHA512

    d606557534d6a409beaedcf5d85cb009d6da332c7ae05351bd2f40667a4e5eadb7e3a492f406f964523d5fdf3506c848a029fa11aee1f62b5f0899aa50a48647

  • SSDEEP

    3072:ABGuStDz/yIzfIenQKIsmtLeIAPGn2jS0gPsX8EsV5q7d+JYfvomTQpoutr:AB03/yMfId8GLsjdgPsMEsV47d+SP8oS

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3952
    • C:\Users\Admin\AppData\Local\Temp\3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
      2⤵
      • Adds Run key to start application
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3556
      • C:\Users\Admin\AppData\Roaming\Vfklkg.exe
        "C:\Users\Admin\AppData\Roaming\Vfklkg.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1116
        • C:\Users\Admin\AppData\Roaming\Vfklkg.exe
          C:\Users\Admin\AppData\Roaming\Vfklkg.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Vfklkg.exe

    Filesize

    165KB

    MD5

    3b54de624a842bbb116c6189c8f94551

    SHA1

    9157e6d1c2b7057f8e352178452bf69f9d479c63

    SHA256

    d6eb57fd34c3a527d60dfa22c2f1850bfdca618f978a4bb319c8b01571eb6ff7

    SHA512

    d606557534d6a409beaedcf5d85cb009d6da332c7ae05351bd2f40667a4e5eadb7e3a492f406f964523d5fdf3506c848a029fa11aee1f62b5f0899aa50a48647

  • memory/1116-23-0x0000000000400000-0x0000000000531000-memory.dmp

    Filesize

    1.2MB

  • memory/3556-3-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/3556-5-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/3556-8-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/3952-0-0x0000000000400000-0x0000000000531000-memory.dmp

    Filesize

    1.2MB

  • memory/3952-7-0x0000000000400000-0x0000000000531000-memory.dmp

    Filesize

    1.2MB

  • memory/4956-21-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/4956-22-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/4956-25-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB