Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 06:11

General

  • Target

    488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe

  • Size

    4.4MB

  • MD5

    488e22d7fefe8ac231d2da624ad96498

  • SHA1

    c3ae5927011b05ffab8f621b39ef82402754181d

  • SHA256

    d32b094a2764078bf688d43a4fb94d237c2df90c5dd522ea74c95e19adc46e4f

  • SHA512

    12feed704854f45bd036236f058caa50bec6bed4f2f822bd6d0f59ebf76c9b24d4af78406159a800828155993cf02201d65b1168d4958ee59966e4731aadcc1d

  • SSDEEP

    98304:2DrVIXQGHHmg/HoHoxCQ8b/ahNlkQuyPgIhgp0wTA:OIXnjvoHo8QkahNSQucxupzk

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\Users\Admin\AppData\Local\Temp\_7CA2.tmpac7d.exe
      "C:\Users\Admin\AppData\Local\Temp\_7CA2.tmpac7d.exe" -p"09:03 PM" -y -o"C:\Users\Admin\AppData\Roaming\Security Monitor 12"
      2⤵
      • Executes dropped EXE
      PID:1264
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 884
      2⤵
      • Program crash
      PID:1276
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3572 -ip 3572
    1⤵
      PID:1100

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_7CA2.tmpac7d.exe

      Filesize

      2.7MB

      MD5

      45f906b15c0a53a1688e792fa9f05d5e

      SHA1

      e3651d7c78869bdd686adab9277b479fa275f72b

      SHA256

      55cf03c9d94c6c4ca06f994ff63ced67cce69656ca6805632ab213d4e508ba9c

      SHA512

      d93b751be6c92f69efb363079e259fe10691545ad4b02ac39028bfc185bf698b17aef98722980b1bc5de0f45d8172b242bb5729bcc65217d559cb7c1c8452169

    • memory/3572-0-0x0000000002C80000-0x0000000003055000-memory.dmp

      Filesize

      3.8MB

    • memory/3572-1-0x0000000000400000-0x0000000000BB6000-memory.dmp

      Filesize

      7.7MB

    • memory/3572-3-0x0000000000401000-0x00000000005C6000-memory.dmp

      Filesize

      1.8MB

    • memory/3572-2-0x0000000001010000-0x0000000001011000-memory.dmp

      Filesize

      4KB

    • memory/3572-23-0x0000000000401000-0x00000000005C6000-memory.dmp

      Filesize

      1.8MB

    • memory/3572-22-0x0000000002C80000-0x0000000003055000-memory.dmp

      Filesize

      3.8MB

    • memory/3572-21-0x0000000000400000-0x0000000000BB6000-memory.dmp

      Filesize

      7.7MB