Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 17:43

General

  • Target

    4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe

  • Size

    287KB

  • MD5

    4abae2b952a10dd442eef4ea4fa9015f

  • SHA1

    8bd1cbf7d6699e9e36938345b5635aff4f601f12

  • SHA256

    f0cccead9c7b601d53c2898a5a78b75f7697a09bb999df05569656aa10a6e769

  • SHA512

    af4c28d62efde7e9af3df50f9eb5eed2f2c9d5d2593e3cc8513a7ba0b3b6f7d10c11d7033c51595efc73c81d0b366578c9f9db17a192b09e4ab402d71a65c787

  • SSDEEP

    6144:bH1JN0LUy75+ZPPfnE2Qyn2SyIilK9Xy61Bt4g75+ZPPfnE2Qyn20Ur:T1f4F+ZPPfnEUnydYugF+ZPPfnEUnI

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 12 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3704
    • C:\Program Files (x86)\IETab\IETab.exe
      "C:\Program Files (x86)\IETab\IETab.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4996
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 /s "C:\Program Files (x86)\IETab\IETab.dll"
        3⤵
          PID:1276
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\system32\explorer.exe
        2⤵
        • Deletes itself
        PID:4448

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\IETab\IETab.exe

      Filesize

      102KB

      MD5

      d4d3eaf1936ba7bc33c9915a9d15443b

      SHA1

      17a662a957539473dd73b494248cf538e1a1736b

      SHA256

      5e4beb7e70af6f40217db1869da66458e1fedb5452dfafa1985384615876b1ea

      SHA512

      eb99e6d9db330e43cf0e0c143a071ee2bc809485c44098fb740583d037b7ab177992fdb7c5a0ead75951625966bf2c03038178102654da326a7fc125b3abaa95

    • C:\Users\Admin\AppData\Local\Temp\nssCBCD.tmp\IpConfig.dll

      Filesize

      114KB

      MD5

      a3ed6f7ea493b9644125d494fbf9a1e6

      SHA1

      ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

      SHA256

      ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

      SHA512

      7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

    • C:\Users\Admin\AppData\Local\Temp\nssCBCD.tmp\NSISdl.dll

      Filesize

      14KB

      MD5

      a5f8399a743ab7f9c88c645c35b1ebb5

      SHA1

      168f3c158913b0367bf79fa413357fbe97018191

      SHA256

      dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

      SHA512

      824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

    • C:\Users\Admin\AppData\Local\Temp\nssCBCD.tmp\SelfDel.dll

      Filesize

      4KB

      MD5

      7cff7fe2caea5184d98c147e7e263132

      SHA1

      21f39d3d0dd5f7198d67ef30e95d10ae3460093e

      SHA256

      281c39b733579e031c62bdd247b41543ece1fe3bd6eda26fc8ad474b10f33101

      SHA512

      fb1161b8571d1d0c67e2df0d571b08f5e7a73f81409aed847344154d02406910629181bcce4e18e998ec472f51a6a1b40d956a010abdd10e850413aafa87808a

    • C:\Users\Admin\AppData\Local\Temp\nssCBCD.tmp\UAC.dll

      Filesize

      13KB

      MD5

      29858669d7da388d1e62b4fd5337af12

      SHA1

      756b94898429a9025a04ae227f060952f1149a5f

      SHA256

      c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62

      SHA512

      6f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f

    • C:\Users\Admin\AppData\Local\Temp\nssCBCD.tmp\fct.dll

      Filesize

      4KB

      MD5

      e3f3809f51c7982d96aaf9c090f7d176

      SHA1

      7494daa8000c0b31c58d94edc509232569a4606f

      SHA256

      010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

      SHA512

      3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

    • C:\Users\Admin\AppData\Local\Temp\nssCBCD.tmp\nsProcess.dll

      Filesize

      4KB

      MD5

      05450face243b3a7472407b999b03a72

      SHA1

      ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

      SHA256

      95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

      SHA512

      f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

    • memory/3704-0-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

    • memory/3704-44-0x0000000002F50000-0x0000000002F76000-memory.dmp

      Filesize

      152KB

    • memory/3704-60-0x0000000073580000-0x0000000073589000-memory.dmp

      Filesize

      36KB

    • memory/3704-74-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

    • memory/4448-75-0x00000000004A0000-0x00000000004E0000-memory.dmp

      Filesize

      256KB