Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/07/2024, 02:02

General

  • Target

    65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe

  • Size

    409KB

  • MD5

    65b77dc9bcc299eb6c89b7a634c923d7

  • SHA1

    332deaaa6ffe33f5e7820a5d7ec9fd67e7b8395e

  • SHA256

    24fc182e430c1d3e140af10bce14ca417f912dc93de5f2d5aeaaa9708b6a2623

  • SHA512

    aeb4579f9f96cb3d4ce257558dbdf500c4ef192347952fae35bbb0c1f4fce470e5a1271d88fbc447482a7ddbb8dab85f5cfef2c620ed96c3af5f44759aa170d5

  • SSDEEP

    12288:DA4goYcLbiCwhCXfVjIzU8F3Ug9DO7hzm9ubK3rrE4GWHG4:DAtcLECXpIz1F3Rk2304GW

Score
7/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 6 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4396
    • C:\Windows\Tkusya.exe
      C:\Windows\Tkusya.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      PID:4368
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 832
        3⤵
        • Program crash
        PID:31156
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4368 -ip 4368
    1⤵
      PID:31160

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

      Filesize

      390B

      MD5

      5f241503e5584c4d2c87080bec761660

      SHA1

      1ea014c73024bdafea895c68174ac33f48a6e9a8

      SHA256

      5eab214b99b3d7316fe65b6ea42a6bc7f1251031e5a6c961092734da658bea28

      SHA512

      25e570293fb5c224e428b79428b326dd6ebd105bb3945e30b3b336bfe22834e8b5de5cdeb06b269b4689615169d736625d652e032d3827860c89d53fc8e8f62a

    • C:\Windows\Tkusya.exe

      Filesize

      409KB

      MD5

      65b77dc9bcc299eb6c89b7a634c923d7

      SHA1

      332deaaa6ffe33f5e7820a5d7ec9fd67e7b8395e

      SHA256

      24fc182e430c1d3e140af10bce14ca417f912dc93de5f2d5aeaaa9708b6a2623

      SHA512

      aeb4579f9f96cb3d4ce257558dbdf500c4ef192347952fae35bbb0c1f4fce470e5a1271d88fbc447482a7ddbb8dab85f5cfef2c620ed96c3af5f44759aa170d5

    • memory/4368-18-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

    • memory/4368-138410-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

    • memory/4396-0-0x0000000000400000-0x0000000000468000-memory.dmp

      Filesize

      416KB

    • memory/4396-1-0x00000000005C0000-0x00000000005C1000-memory.dmp

      Filesize

      4KB

    • memory/4396-4-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

    • memory/4396-41466-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB