Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2024, 01:26

General

  • Target

    59e683b3b3a74db9464adf4c0fc687fb_JaffaCakes118.exe

  • Size

    25KB

  • MD5

    59e683b3b3a74db9464adf4c0fc687fb

  • SHA1

    313f459ed1ea49ea4fb158b2dfa4447013e7a076

  • SHA256

    e10a86ddcee14d8bb0b849c589ed2559d8378ee3ef4bacf41276948f5a606bc1

  • SHA512

    e287de0de66cdd6c809e6c45f43f48c30ab80b2c380c7d810f2433f739b9325347f45e6eecb6f54942b6176efe83d9630bd6d1f15f98a66072e1baa2d40e730a

  • SSDEEP

    768:8UMljZ8lPdlQcH+7+ZPCYqCkol9Y8VpR1CT6:81tZ8lPdlQcH+7yCY5RX1CT6

Score
8/10
upx

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59e683b3b3a74db9464adf4c0fc687fb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\59e683b3b3a74db9464adf4c0fc687fb_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uuu.bat" "
      2⤵
        PID:5076
      • C:\Windows\SysWOW64\mspaint.exe
        C:\Users\Admin\AppData\Local\Temp\59e683b3b3a74db9464adf4c0fc687fb_JaffaCakes118.exe
        2⤵
          PID:1936
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 12
            3⤵
            • Program crash
            PID:2476
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1936 -ip 1936
        1⤵
          PID:3480

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\uuu.bat

          Filesize

          55B

          MD5

          3494943ded62289772eb4ffad9765057

          SHA1

          e307f4458c4c96df28e2960b8a12f5f098729d77

          SHA256

          6b4dd8956842f6cd4bb4ed52bd38ff63a81f1e1a0389927617437852cd109566

          SHA512

          eb601e4a520d8b1d305064cc77132a890f8b8000fafa32c14c1413e6b26f49605f7ee327b8233cb7294b83bd605ebf17f3d8eb06b28df103714802fde22fa9ab

        • C:\Windows\SysWOW64\drivers\pcidump.txt

          Filesize

          14KB

          MD5

          6f8d7c787c11b2533f99c4a9e730bb99

          SHA1

          4ae84b8bc7a7e4440800e98194788a8bbf05beb9

          SHA256

          26bfe5dc67ebf16c052daf1fb90bb3bfe5744364d8592f154639309ecf6a86b1

          SHA512

          ae076b4f000c39d88d108d202365177266d87e1245d68ad325a588d3275526cc646979fc8fb8c2bb03bb5beed41926934dac4d0ccfc4d06c2030a72f3d164e57

        • memory/1936-8-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/2992-0-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2992-10-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB