Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 10:08

General

  • Target

    3cf12798c3df358f313d2be661228d6c_JaffaCakes118.exe

  • Size

    350KB

  • MD5

    3cf12798c3df358f313d2be661228d6c

  • SHA1

    d0a4b021699c965d540fd4f0f0e3169b531c2df1

  • SHA256

    1c74ccb070bd075ec8bed834851134d9afc78f7e0872ddb1f075349bb3867fdb

  • SHA512

    dff94cb008435995fe05a6a9361ca7d94eb7a7c2282b996b6b88c9c57c3a6a3557fe8c6475da27b89c420cd86ac345bdb7bb76640dba0e6d99b8c990a082de6d

  • SSDEEP

    6144:qQqOqkiNtRRJli7NNV8i6A6SeDWAfNFAMIVpWHGVv3tbUT9zvrZnC:dqk4tRRK3yi6BSCRfNSMIymV1be9PZnC

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3cf12798c3df358f313d2be661228d6c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3cf12798c3df358f313d2be661228d6c_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Users\Admin\AppData\Local\Temp\cfÎÏţ͸ÊÓ.exe
      "C:\Users\Admin\AppData\Local\Temp\cfÎÏţ͸ÊÓ.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Users\Admin\AppData\Local\Temp\´ó·É0126°æ.exe
        "C:\Users\Admin\AppData\Local\Temp\´ó·É0126°æ.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2436
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://123.kukankan.com
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:852
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:852 CREDAT:17410 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:412
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\´ó·É0126°æ.vbs"
        3⤵
          PID:1952
      • C:\Users\Admin\AppData\Local\Temp\ÎÏţ͸ÊÓ.exe
        "C:\Users\Admin\AppData\Local\Temp\ÎÏţ͸ÊÓ.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3452
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 C:\WINDOWS\system32\shdocvw.dll /s
          3⤵
            PID:1628
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c taskkill /f /im empty.dat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1036
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im empty.dat
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3212

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

        Filesize

        4KB

        MD5

        1bfe591a4fe3d91b03cdf26eaacd8f89

        SHA1

        719c37c320f518ac168c86723724891950911cea

        SHA256

        9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

        SHA512

        02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LIDWBKOU\suggestions[1].en-US

        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      • C:\Users\Admin\AppData\Local\Temp\cfÎÏţ͸ÊÓ.exe

        Filesize

        263KB

        MD5

        97a2bf62d16d752cd78b13d4120f52b6

        SHA1

        041902eb8269d87d1ff5acdb00aa0062114f021c

        SHA256

        fa722a2880eaa6737271de8c1f6506f42b5ee6e43a0fe188d45ad82e691aea7c

        SHA512

        b1ac9529f29295c27e612ccafbb3b0f394ae91806d50c5ecaec4a3d8f82e53c32e9b471f4e144d77618b9833620ba9c889a4bf433df84c7b1dda0789caf63cd0

      • C:\Users\Admin\AppData\Local\Temp\´ó·É0126°æ.exe

        Filesize

        238KB

        MD5

        1b09cc5d84b88c96e08f78dbfc426168

        SHA1

        5685a2a312dfbfca4da4b1923f59502706b9d536

        SHA256

        f5cff9b9cf4aede7af19e45a7902f084999984735d283af5e1c07860d86ef5bb

        SHA512

        2572681364eb58cffc03da80374f34d3ecabafb4fb656c5d4cb8e579f730c249f47acc403e13a45dba54b1309f86c5088adfcf08b1909e519cdda611636e7389

      • C:\Users\Admin\AppData\Local\Temp\´ó·É0126°æ.vbs

        Filesize

        1KB

        MD5

        efd05135c1895db2a8a563899234770c

        SHA1

        743e73052903d000dc73fa08d9c05be1b8afa363

        SHA256

        564c8fcff599eb12b85e30b64cdbafdd0fbddfdf09ffc4ffda6637275feb3a7c

        SHA512

        63fff5bc79d31fc2380318e8e52c67f4533f16b98bd2a5fdb2d7505241c6830ca8d18ce279dc20309f133f89e4ddf19ea97a05e5ac921b1bb7a024e808e63255

      • C:\Users\Admin\AppData\Local\Temp\ÎÏţ͸ÊÓ.exe

        Filesize

        84KB

        MD5

        7ad7ed7fdd25baea8e6c1a8a639b4fc5

        SHA1

        d5f22c8eb1eebb74853eb4b63127e240211ede6a

        SHA256

        cea15b32f02d28194725a4156b682f1a9bc8608adc326cbb3aac7149facd37fa

        SHA512

        eaf422438fd21fe272c181bb45ba27a1e25cbefb242b766ec0361ecb6f2d880c3ce4ffcc813f5740ee65eb765c53ffb8c1206967638fd5ebd444fec0fec6892b

      • memory/2436-32-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

      • memory/2436-33-0x00000000001C0000-0x00000000001C2000-memory.dmp

        Filesize

        8KB

      • memory/2436-100-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

      • memory/3452-19-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

      • memory/3452-20-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

      • memory/3452-101-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB