Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2024, 09:18

General

  • Target

    5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe

  • Size

    382KB

  • MD5

    5b532b0a545e3cbee73ac9d12192dbd6

  • SHA1

    020d19ae4625d9f8536a3e9105c4790ab54dfe64

  • SHA256

    e6c3370a121b74be33af5c7daf69750fd1eef77f9a668fcb18639e3da808d67c

  • SHA512

    7adc7b575fc4bae37bd8d58aa8f8f765adea7dec502d4c2a93b9171b5ae6ee5b2acfee121e4c5d48148559ec23673e12c82da1a39c57cbcb24b8301f9c83d51d

  • SSDEEP

    6144:2WaEC2hxAMAhymq6BE8PCaN633aHHc5UykfEOOy+ZXf7UTmmjf/b8NPTZ/5J83:djhKJhDBE263d1kfIZvyjr0ZD83

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4460
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
        3⤵
          PID:3244
    • C:\Windows\yxxsj.exe
      C:\Windows\yxxsj.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:540
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        2⤵
          PID:3512

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe

        Filesize

        743KB

        MD5

        6d426a0b603dfd68be553d6d8b9faa26

        SHA1

        6a21b635ead0bd4e83f27e8f20c8eeb64b50966c

        SHA256

        3292745838d07161d7efc23e7139e065eb18ff626d0361dc7a0e54957ff13507

        SHA512

        306634affc21d9270f5c7a803799b658bb114a6e3ac2c4beef6e65cf1771c4e8a4bd13f056ffe92b690b477c15be71453597dbf742e85c9abd8c0327316897c6

      • C:\Windows\uninstal.bat

        Filesize

        158B

        MD5

        5c7ac7be691db8bc6ab3d17f804859d0

        SHA1

        fa1af53cd2c7a7ccbecf3dfa728ddac591ac73a0

        SHA256

        c078e1033ad4d87f6f7399c028410e2785528064086a7147ee067ffce113fcb1

        SHA512

        2e10ee35e3574bacabcdf43f9d50d42ec91eacbb23ab3f39ecd28358eee550ef157ea15fa4e73449a28b2002043030da13239aee325b94ff0d0b4ca42af42f8c

      • memory/540-11-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

        Filesize

        4KB

      • memory/540-17-0x0000000000400000-0x00000000004C2000-memory.dmp

        Filesize

        776KB

      • memory/540-19-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

        Filesize

        4KB

      • memory/3028-0-0x0000000001000000-0x00000000010C1400-memory.dmp

        Filesize

        773KB

      • memory/3028-15-0x0000000001000000-0x00000000010C1400-memory.dmp

        Filesize

        773KB

      • memory/4460-6-0x00000000007E0000-0x00000000007E1000-memory.dmp

        Filesize

        4KB

      • memory/4460-14-0x0000000000400000-0x00000000004C2000-memory.dmp

        Filesize

        776KB