Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/07/2024, 23:56

General

  • Target

    59a124f03e118ef649f0fcdc12c3515d_JaffaCakes118.exe

  • Size

    952KB

  • MD5

    59a124f03e118ef649f0fcdc12c3515d

  • SHA1

    0cde93f866e062b030f2b7d1e6f81c8f939fa761

  • SHA256

    c9b14e04a3dd0f3d145aada5132726f9acd6302a7eab7958e50d5d25b62bf1d6

  • SHA512

    6bd0c47354b139097feaa088b891229e0d97aa75897f04025817bb5ede6cf11283059f3a9f1da48c4ea5a98e48340e027cb1a987070515d7d4e9ef27d3580081

  • SSDEEP

    12288:eD7lxIXgij3qi3MAxGQ3BdOukFfY+F1ldsui3hBTo:eEXjj3qgPGQ3BVkpY+F1ldsui37To

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 57 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:668
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
    1⤵
      PID:2228
    • C:\Windows\sysmon.exe
      C:\Windows\sysmon.exe
      1⤵
        PID:2828
      • C:\Windows\system32\backgroundTaskHost.exe
        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
        1⤵
          PID:4896
        • C:\Users\Admin\AppData\Local\Temp\59a124f03e118ef649f0fcdc12c3515d_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\59a124f03e118ef649f0fcdc12c3515d_JaffaCakes118.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:556
          • C:\Users\Admin\AppData\Local\Temp\pwdump.exe
            -x -o "C:\Users\Admin\AppData\Local\Temp\127.0.0.1.pwdump" -u "(null)" -p "(null)" 127.0.0.1
            2⤵
            • Executes dropped EXE
            PID:4748
          • C:\Users\Admin\AppData\Local\Temp\cachedump64.exe
            -v
            2⤵
            • Executes dropped EXE
            PID:4340
        • C:\Users\Admin\AppData\Local\Temp\servpw64.exe
          C:\Users\Admin\AppData\Local\Temp\servpw64.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3028
        • C:\Users\Admin\AppData\Local\Temp\cachedump64.exe
          "C:\Users\Admin\AppData\Local\Temp\cachedump64.exe" -s
          1⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          PID:548
        • C:\Windows\System32\WaaSMedicAgent.exe
          C:\Windows\System32\WaaSMedicAgent.exe aeaeb17a7fddda9bfee285d9e65e8757 rjbZ+Uwfk0GzjeYQMC3eqg.0.1.0.0.0
          1⤵
            PID:1524
          • C:\Windows\system32\wbem\wmiprvse.exe
            C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            1⤵
              PID:2436
            • C:\Windows\System32\mousocoreworker.exe
              C:\Windows\System32\mousocoreworker.exe -Embedding
              1⤵
                PID:872
              • C:\Windows\system32\backgroundTaskHost.exe
                "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                1⤵
                  PID:2388
                • C:\Windows\system32\backgroundTaskHost.exe
                  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                  1⤵
                    PID:1316
                  • C:\Windows\system32\BackgroundTransferHost.exe
                    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                    1⤵
                      PID:2460

                    Network

                    MITRE ATT&CK Matrix

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\cachedump.exe

                      Filesize

                      124KB

                      MD5

                      9de5b79050879af333d8a0ec555d6b57

                      SHA1

                      645ef72ca81627c351b5e8f9652b7a3399ac815f

                      SHA256

                      cf58ca5bf8c4f87bb67e6a4e1fb9e8bada50157dacbd08a92a4a779e40d569c4

                      SHA512

                      47f7624155db8f5b5e1b579279f62a402212ccc883f2d7724764a7057d78b099794d5805c2ca7c8a5e53ffaf7fe1122a7773dad464e8a2e7ec00db841357a3f9

                    • C:\Users\Admin\AppData\Local\Temp\lsremora64.dll

                      Filesize

                      79KB

                      MD5

                      3fed6dc4ba33df1eadcbc50d88dcef7a

                      SHA1

                      321056f98ddcb005dd84ddab730175d81f8b6213

                      SHA256

                      efa66f6391ec471ca52cd053159c8a8778f11f921da14e6daf76387f8c9afcd5

                      SHA512

                      f917d89be3108721530df98221ea9cc268f491b3dbee324c251649969684616b4168cf9629f772a8515cf1e63e1139da30aff874e6d4119429ce12f7dff2014c

                    • C:\Users\Admin\AppData\Local\Temp\pwdump.exe

                      Filesize

                      144KB

                      MD5

                      f959f07a120d759ddd1ae4aa9ff32c75

                      SHA1

                      91e0b49044f004618ffa777b503f7d392dc660be

                      SHA256

                      3c796092f42a948018c3954f837b4047899105845019fce75a6e82bc99317982

                      SHA512

                      ac7c9dcb05d4110db39838185b501dda8dbd9ce4ababbfd57f63505649f2df92599a62e995495aac21951ea415091b6d0f7b13a041f5f32937341fba6ae7f4bf

                    • C:\Users\Admin\AppData\Local\Temp\servpw64.exe

                      Filesize

                      68KB

                      MD5

                      981e82f907d1943f3ee06e05aecf7c31

                      SHA1

                      bbbfb6a24db8b284117b5af621829086d808cf7d

                      SHA256

                      97b39ac28794a7610ed83ad65e28c605397ea7be878109c35228c126d43e2f46

                      SHA512

                      3944731d60a0a57a226ce846a54b5ef021757dd983262c1f7e690e6c07608fd96c2551d5d9a3f14da1b80411f1662e14a50306b8601999a2dab3c87ce4d0e5b0

                    • memory/668-19-0x000001EE1ED20000-0x000001EE1ED21000-memory.dmp

                      Filesize

                      4KB