Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2024, 20:08

General

  • Target

    5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe

  • Size

    654KB

  • MD5

    5d7bbd8f8d2858b947ebbbf5e8366c02

  • SHA1

    0ebfba42374fea084b32522060a46c14d39e0c4c

  • SHA256

    cfb918dff19f116dc17cd08ca2e9aca1d10eb2b8c5239146045154d614d9c240

  • SHA512

    44cad738aca3660f598b7661b859c96db9e64e60682b86cb64a2f118f97aaa444548fa63ec5201b75220e9b160ddf53ec369859e5d7f241ea85248fb5eb59d1b

  • SSDEEP

    12288:wrmZGB/ZxZ2jcrRKpzqQDaDQx76kvsz3J1R7JiYitaLoSp:wr3VZxZ2C8zqQ+QV6s6Z1N8O

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9E24.tmp\sso.bat" "
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4156
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:\Windows\system32\GroupPolicy\*.* -r -s -h /s /d
        3⤵
        • Drops file in System32 directory
        • Views/modifies file attributes
        PID:220
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" /v "PendingFileRenameOperations2" /t "REG_MULTI_SZ" /d "\??\C:\Windows\ime0\0\??C:\Windows\ime\0\??\C:\Windows\ime\scripts.ini\0\??\C:\Windows\System32\GroupPolicy\user\Scripts\scripts.ini" /f
        3⤵
          PID:1588
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2272
        • C:\Windows\SysWOW64\findstr.exe
          findstr /i "ravmond.exe"
          3⤵
            PID:4812
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\system32\rundll32.exe C:\Windows\ime\winxp.dat,Launch
            3⤵
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            PID:1360
          • C:\Windows\ime\svcttkt.exe
            C:\Windows\ime\svcttkt.exe
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3144

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Common Files\System\Ole DB\msadotb.htm

        Filesize

        443B

        MD5

        394f21b8b73546aa3346878f6e894d09

        SHA1

        537d99a43b51f7c198c1764ed7a9968658fb13b5

        SHA256

        2b4c65c614ac358f866bd91ae65a32e2b058cc9e4c91baebaf2adc1016e9d2d3

        SHA512

        ae988f7e1f4aef4351fd97fc7c6e8d392b3c9a208486358626b9f17390169a8b508e490d5e948085fa60f0036f68b14b2cde63566d8901229228f2e68447dff0

      • C:\Users\Admin\AppData\Local\Temp\9E24.tmp\sso.bat

        Filesize

        1KB

        MD5

        87ec8415dca590be1f38a046c1712670

        SHA1

        1f7e1d8402a896172e166bd140bc2244df3e8dc1

        SHA256

        7da9f7ec467b93e536f419b762557f04c50f8b830adcc55d407c4832744f376e

        SHA512

        104cb0980f2f3b7a8b36822326b9fb2e14d4e5e4adfeff12566592c114eae9955ab8f5a498e83f9e212365cf77e6cc0c1d299f8a83dcf5cf63f7e14439a2ca02

      • C:\Users\Admin\AppData\Local\Temp\9E24.tmp\tb.dat

        Filesize

        11.1MB

        MD5

        877418338a6ec6eef514cf61e9a46de0

        SHA1

        27263bbd9841b27a363c1084c21686cbd89cc537

        SHA256

        60c60f19dd38ae9cdb3857c63986504212e154f1d580156d90317027b0c3910a

        SHA512

        7b633efacc552288b6340428a8dee40f7e7a551d1e3beb40bb6ba9afc70a6e2a7be5bfe9c80262f946b6bbae74d05278a6fd81bea3b580aa9b18aa872dd2d758

      • C:\Users\Admin\AppData\Local\Temp\9E24.tmp\win.bat

        Filesize

        1KB

        MD5

        c48370acb2152b96f50eed42c5e0339b

        SHA1

        649f98316924a75adc4167df424946d34cd0db19

        SHA256

        b26417db14dc4acf04e19cbb0fddb22a2b5c427c7a5e586878cd1d1a746678dc

        SHA512

        2f9c966aca621018d039f030f0d5e147d43ed72c0fffa1586d2400f2baf0019201dd2fc5eead557694387f8ae42b9a3820c188120a4db2161d9485e8d7290219

      • C:\Users\Admin\AppData\Local\Temp\9E24.tmp\woti.dat

        Filesize

        10.2MB

        MD5

        949947d4f9a3e85fa6e1ff6ba9878912

        SHA1

        ab6cf0c926ab297cd4b7ecd5e93cd74d7cd1baa4

        SHA256

        1a88d5afbe5a769551a40adc45586b655e020cbda6d39018aae2f7e847f03811

        SHA512

        8131c00420ac76549b315847126dd4dd60be4c75ff0870fd2b421a7c6b46240947d627cc9594a15ca124c6e4eb55dd0791e99494c2cbde4841d21d72c7e26661

      • C:\Windows\IME\de-DE\svcttkt.ini

        Filesize

        119B

        MD5

        2cd5adf7925cba6db30dededdd3e2dc4

        SHA1

        c1493f69d49bd873573bffef727fd420a05c5e27

        SHA256

        24949fe14f0579dd361a830325cc7fb57ceff8c01bc2c596d9f50fb1da16580f

        SHA512

        2513bc56188e3f900ddc46ff08ba13cdcf03e387e0198f92db3b3f0d0c411d07f5894d57996142631b79333e507578a3a2f7a9d677c80f0393a75845b469743e

      • C:\Windows\IME\scripts.ini

        Filesize

        44B

        MD5

        f1ccc9de1b67d00d55abfea224e65b88

        SHA1

        403e72f73cf9fec96c9410c6e2a4a0d81e1088e4

        SHA256

        4895be9dd90dbca6ce8ebe08bb8f4445926e8dc8cf6629fb722e63f6b047216b

        SHA512

        d871c841a0342342ec5969e1389a964516a31531abc38574f5c46e254886bd4867aa71758ad325b7738b47faf34dfd8f684e06770eb8948e69a04d144d18dc41

      • memory/1360-47-0x0000000073F30000-0x0000000074049000-memory.dmp

        Filesize

        1.1MB

      • memory/1360-67-0x0000000073F30000-0x0000000074049000-memory.dmp

        Filesize

        1.1MB

      • memory/2816-0-0x0000000000400000-0x0000000001954000-memory.dmp

        Filesize

        21.3MB

      • memory/2816-51-0x0000000000400000-0x0000000001954000-memory.dmp

        Filesize

        21.3MB

      • memory/3144-65-0x0000000000400000-0x0000000000511000-memory.dmp

        Filesize

        1.1MB