Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 11:31
Static task
static1
Behavioral task
behavioral1
Sample
49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
-
Size
733KB
-
MD5
49977ea91effefa69e91faaf406309c4
-
SHA1
29fdbe1a0ee9d6c7aa9499f3a70ef9bffcea3dab
-
SHA256
ca1d43c7df11837f12a37594e204bf75d59c40af5b8d24e6944f24a20a52577e
-
SHA512
27a4edf9e8b9962e6b50c3ad6d2fb353c09053d17032973c74fe2ffa526d94f1e9090ffc0023e5c7ab2ea5775861188bbc5eaf77ad014852479d41891caa070f
-
SSDEEP
12288:13Fpj4rBRLukn+zKg2oOR2OQl5xAdmxQDgGeItGBV07XpWZhASRXHYnrmc:1VpUFRUgoOwOY5xAqQlFtWVAqRXHYrmc
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 4728 netsh.exe 1928 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4740 wrote to memory of 4196 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 84 PID 4740 wrote to memory of 4196 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 84 PID 4740 wrote to memory of 4196 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 84 PID 4740 wrote to memory of 1996 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 86 PID 4740 wrote to memory of 1996 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 86 PID 4740 wrote to memory of 1996 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 86 PID 4740 wrote to memory of 3204 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 89 PID 4740 wrote to memory of 3204 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 89 PID 4740 wrote to memory of 3204 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 89 PID 3204 wrote to memory of 4728 3204 cmd.exe 92 PID 3204 wrote to memory of 4728 3204 cmd.exe 92 PID 3204 wrote to memory of 4728 3204 cmd.exe 92 PID 4740 wrote to memory of 1760 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 93 PID 4740 wrote to memory of 1760 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 93 PID 4740 wrote to memory of 1760 4740 49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe 93 PID 1760 wrote to memory of 1928 1760 cmd.exe 95 PID 1760 wrote to memory of 1928 1760 cmd.exe 95 PID 1760 wrote to memory of 1928 1760 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\DirectDownloader"2⤵PID:4196
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo ifms > "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"2⤵PID:1996
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4728
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE2⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1928
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7B
MD5824ab679eea19c5b43b186800c2c625f
SHA1f8b90bc89117ac4f1a272e7acef952a79a64b617
SHA256f6d4a23bd6b412e4d4906cbd1c56dcbcf5ddd96b6a9098ceba96be94e52f7ab3
SHA512e13bb9c005c2acb412916bf0f4a37b39c2800298042d5344b877143d1b767342903c9bb3e8d4eda75f37cc323b5f623d6bf34629d2c999c7df316de4ffd3caf4
-
Filesize
155KB
MD5e1098470152dc10fb29b3ad7b4e5f5cf
SHA1ae5a796340be8f0912d6c85f81dce21211aaaf15
SHA2563832d19f80a84069c5010266fa3cf11eee5bb1c3d1b2ba278e49519519561b8a
SHA5120ba3a53a3021be99aaf5cf8af54f214feea0f80f112a7ffb209b4c2c0539f8b8b6cd087ba7ed6501c9b79e0a9496494e471ac43f9b7f0aacf58866c01e90e7c6