Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/07/2024, 05:18 UTC

General

  • Target

    4056b919366ea6a51c5e9069f8472091_JaffaCakes118.exe

  • Size

    10KB

  • MD5

    4056b919366ea6a51c5e9069f8472091

  • SHA1

    c7ce6debc93e42d90756b9be5236d93acdde0cf9

  • SHA256

    65c070674f6e95dc8bbc95d3bda7c6af3924cc1366d99dfcd3e7ce0959b2d758

  • SHA512

    988f8df472f5578ab9d7446fef14b1018806f4860e128832d15c95ac62071a01ac489f853676e9df4052ee668fe7b7b84ce16cd751fce330ef6bc2d03eda97d1

  • SSDEEP

    192:xmGWV65YDUC3s6zNVa0AwuvC0uUxQuhCFaNJhLkwcud2DH9VwGfctdk:xmUWDUCckVa5aTshmaNJawcudoD7Uo

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4056b919366ea6a51c5e9069f8472091_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4056b919366ea6a51c5e9069f8472091_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Users\Admin\AppData\Local\Temp\7DBB.tmp
      C:\Users\Admin\AppData\Local\Temp\7DBB.tmp C:\Users\Admin\AppData\Local\Temp
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4384
        • C:\Windows\SysWOW64\reg.exe
          reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Microsft /t REG_SZ /d C:\WINDOWS\sys32.exe
          4⤵
          • Adds Run key to start application
          • Modifies registry key
          PID:1536

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    2.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    2.159.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    2.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7DBB.tmp

    Filesize

    14KB

    MD5

    62bd906746e687180e6f496af2c74ba7

    SHA1

    c612dd94178b053ea120520a936131e0afb22390

    SHA256

    4225c5b7115c7a2f8c08cbfdf8cd0a8b28952a602f13580d674762d7b551054d

    SHA512

    4d9670448f4f574d22aa3139423d71921d368b755039563f063db3e703eb68fa1f85e2ddf8d5b1b72c6a1e8fe6eb94cfa28f943a212ccef4781ca0095cf0e67a

  • C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat

    Filesize

    603B

    MD5

    e60896801e4777d71d000ec92507ab3b

    SHA1

    981e124730dc0f8a47cdbcc9a56af060a8d2b604

    SHA256

    a613337197cf51b0c48863891dedbc77608bed802cbb036393be82982e598ca0

    SHA512

    9a879e8b2cdd05581b27a9ba8cbae6eb2e5a770cc39987e2e135790ea70613f67e0f6dea27c1318e862b250eb51772ad10f8cfbb253db6fd62fe5f6275f295ee

  • memory/1304-4-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

  • memory/1304-12-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

  • memory/4816-0-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/4816-8-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.