Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/07/2024, 13:46

General

  • Target

    46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe

  • Size

    120KB

  • MD5

    46143d2dcb939fe3cce62ea2c8401aec

  • SHA1

    6d9b033fc1571793a90f9e4d99305e3f137dd811

  • SHA256

    c920c5c4f7b71c16aacfddc895cae009a222520ffab21ee19017256d87e1a26d

  • SHA512

    00e0bb6db40c5b7c111cfd3f3d3923213ccf9c76d00802f1b06aea35e4eee66a3ccdfdd264d110e25cad6636a40eb87866ffea0d4e869aec2cb34a13d312d560

  • SSDEEP

    3072:hGN9qJK8zxBf/+L8Cabilf6N4wT6o8K8GthgB/w:W9ixBebaE65

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Runs ping.exe 1 TTPs 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\ff.bat
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:4776
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:4596
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1928
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1468
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2916
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im snss.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:808
      • C:\Windows\snss.exe
        "C:\Windows\snss.exe"
        3⤵
        • Executes dropped EXE
        PID:436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\ff.bat

    Filesize

    581B

    MD5

    df0dcc0c8115b89296f85865537891c7

    SHA1

    a107b1947f6095c984df2639f148d699cdf86b66

    SHA256

    94d454be9f4bddf2bed180881bb90b75c6eb4c8f3b87b0960c8057ecdae87020

    SHA512

    870c34fa985f8ee2d683e261fce78e3b59da494f36d54ee52bc1bb6191233c8ba6b8aeb334bd09b11d783a9673b9d52358d1a63782a1e6d075348040490b6a73

  • C:\Windows\snss.lnk

    Filesize

    1KB

    MD5

    8370b2e0c1cb4e1b5db16168684ca13d

    SHA1

    449fd15ff029621ef095bbdf6994276eb5afc8a1

    SHA256

    e15b38b0b7a66399a6ae32dae6b1590e54f83eb5ca642f5e8b231dceb2cc10ff

    SHA512

    52af3d0aff0745093aa839c412dbbe6789aa31b8548631073e4657aad9e7d5484b452830b187c76a9790000b378a8c0b019d24ed752d74b3a2bdea3c8d8f2da2

  • C:\Windows\snss1.exe

    Filesize

    120KB

    MD5

    46143d2dcb939fe3cce62ea2c8401aec

    SHA1

    6d9b033fc1571793a90f9e4d99305e3f137dd811

    SHA256

    c920c5c4f7b71c16aacfddc895cae009a222520ffab21ee19017256d87e1a26d

    SHA512

    00e0bb6db40c5b7c111cfd3f3d3923213ccf9c76d00802f1b06aea35e4eee66a3ccdfdd264d110e25cad6636a40eb87866ffea0d4e869aec2cb34a13d312d560

  • memory/436-15-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1268-6-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB