Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2024, 05:18

General

  • Target

    5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe

  • Size

    770KB

  • MD5

    5f2aaa3458a8a94a91dd71586935b2b2

  • SHA1

    a16221e31c960dafe501a3fca7e394d92c0e0682

  • SHA256

    af351378c41c581f1f9b8fb2d80090e4aa1ec844c417eb0ebae479be4cbc6ce3

  • SHA512

    fc3a35ba008523cb21e4006b34e5fcf7e8935471c4ccf40661737dad62f5de4acc0e83f8d7692517e93488b06290edb913a0e9f9a790c54dde06bdacb055e094

  • SSDEEP

    12288:0krXV6E2/ZX7kGRE/E2HjwZCSBcbn68wGhQ4kkR7DaKAa9VSaQwBirzeF58Lm32:XF6E2BX4qByk4vwGhQ4w+BomWY2

Score
8/10

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Users\Admin\AppData\Local\option.exe
      "C:\Users\Admin\AppData\Local\option.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:2348
    • C:\Users\Admin\AppData\Local\scrss.exe
      "C:\Users\Admin\AppData\Local\scrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3376
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c syscheck.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1876
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V scrss.exe /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4116
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V scrss.exe /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f
          4⤵
          • Adds policy Run key to start application
          • Modifies registry key
          PID:2376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\syscheck.bat

    Filesize

    168B

    MD5

    0d92b381efa1a49bd3cc2cf3ff28bd45

    SHA1

    23fac6be89436f94a4f8fca5057be514c787b9b6

    SHA256

    b5b5a4055d2b10d9e6af0580c28ee9099632cc36eaa946ce442f65a77ee92e84

    SHA512

    78b611a37cf21a0bb26204f0f3057b5d800be3c2ad8190af06725e82bdcc883473cb0087f1f7bc8c0199467d14282ea92d340421d8bf796f7e45451727f66391

  • C:\Users\Admin\AppData\Local\ntldr.dll

    Filesize

    92KB

    MD5

    8a5e40eb6518353e5758e5b237897c78

    SHA1

    dd452e565485f48c2131dadc40a32b0d3007cef6

    SHA256

    5f8ba5c1522847452d92b507770bfb454548d8a02232040c6be4323792400d4f

    SHA512

    c941b82c3bd6be61506ac9215ab8e26983a8654444703b5a0236739a3b50a498ed0c65054b68481c026123d88b0f0e9e36f92b0f0028b4cc034345ec17f3b268

  • C:\Users\Admin\AppData\Local\option.exe

    Filesize

    232KB

    MD5

    81834d4397b63bd30f869289df27e810

    SHA1

    0a969151a4b1f227be7c7b4643f44eff32d3e5af

    SHA256

    343e9ecd7836063440cf7e3d7002af182047fbde667e6d2eaae9021975385452

    SHA512

    57e52f62b9f1922a2a5e435f461387cba50bd5a6fd93b750c98d3a69f806264416023c7fc5f31f118110fb8d729cdcf6c0516e7c3a496b5040876a1999e684a8

  • C:\Users\Admin\AppData\Local\scrss.exe

    Filesize

    237KB

    MD5

    c8c37aa823da020c7bc6c86752e2d3f5

    SHA1

    9c8dcc78b838ba7cf33160b48dfd7a061ff1318e

    SHA256

    52e24c3734c8656dff8603d706cf711bd63fd120d19633e7c0c4568f54e249c9

    SHA512

    b2129ebd8205e6bd4be4a34e8f09a4e0c0f2882cdde7afe631206d76ea50799fae8be61cbb4ebf8af3f5b883d852ec5fbfe868ab81007d46deadeded81316a63

  • memory/2348-30-0x0000000002380000-0x000000000239C000-memory.dmp

    Filesize

    112KB

  • memory/2348-49-0x0000000002380000-0x000000000239C000-memory.dmp

    Filesize

    112KB

  • memory/3376-25-0x00000000004E0000-0x00000000004FC000-memory.dmp

    Filesize

    112KB

  • memory/3376-50-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

  • memory/3376-51-0x00000000004E0000-0x00000000004FC000-memory.dmp

    Filesize

    112KB

  • memory/3376-54-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

  • memory/3376-62-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

  • memory/3376-68-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

  • memory/3376-74-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

  • memory/5048-27-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB