Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 11:38

General

  • Target

    499de033296b91bb87a8d7d043b929b0_JaffaCakes118.exe

  • Size

    24KB

  • MD5

    499de033296b91bb87a8d7d043b929b0

  • SHA1

    f0094815d31f8912f4aa582689696fda7c1e16d4

  • SHA256

    331c0b59e82feb04a7c4fc326b5a49f53738aec7ff4158d74f338e122c1f40d9

  • SHA512

    12119f23ba7b22f7710bff7896b8241ffcc88e165e2cfaa75cbd598175f47435367495117b40f52ec189ba7211bdf60066db7e88815c24ec557092a8a83484e3

  • SSDEEP

    384:E3eVES+/xwGkRKJalM61qmTTMVF9/q5F0:bGS+ZfbJaO8qYoAK

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\499de033296b91bb87a8d7d043b929b0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\499de033296b91bb87a8d7d043b929b0_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c set
        3⤵
          PID:2044
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /all
          3⤵
          • Gathers network information
          PID:3316
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1424
        • C:\Windows\SysWOW64\net.exe
          net start
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3044
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start
            4⤵
              PID:3696
          • C:\Windows\SysWOW64\NETSTAT.EXE
            netstat -an
            3⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:368

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \??\c:\windows\temp\flash.log

        Filesize

        14KB

        MD5

        dd9467735ce3169973a01b545861a435

        SHA1

        6df1439e4ea98ff48507b14a6b45c563a84a3fe8

        SHA256

        4d12da93501bdfee19f43ff152372306ccbf5b095d50dd34725c1eb5dff91917

        SHA512

        9b7b61595a440419bc1f836494e11cd74eefb9057015a46029feda399a0bc628c352554f59ba236ca33099a8926f97ce5240678e082890e3586a34cb8b52ca21