Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/07/2024, 03:28

General

  • Target

    6a135c2e3ba5e6655ee27bf60a359e53_JaffaCakes118.exe

  • Size

    806KB

  • MD5

    6a135c2e3ba5e6655ee27bf60a359e53

  • SHA1

    36713a2c3908567bbf0cd18aa944a522e5d915fc

  • SHA256

    c02e35aa90a8a5003feb5e830ec7a1eb461e8d2c79dbe8c72419a0fe864719ca

  • SHA512

    05ad73463914b584c8b83f2d8e796f596f34c13fe3f6680b617e03b1dfe32cd3e1776e693d4561eaab617228760c3e1d37c49027116cfde5e3386af5ad366033

  • SSDEEP

    12288:1vD+a+J195bR+uSGtZ3pgWKQqnuOHzrV3Dr7Ilnk39yS:17HK5N+cLJKQmHzrV3nMkd

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a135c2e3ba5e6655ee27bf60a359e53_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6a135c2e3ba5e6655ee27bf60a359e53_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Users\Admin\AppData\Local\Temp\6a135c2e3ba5e6655ee27bf60a359e53_JaffaCakes118.tmp
      C:\Users\Admin\AppData\Local\Temp\6a135c2e3ba5e6655ee27bf60a359e53_JaffaCakes118.tmp
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:4988
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3185122397\zmstage.exe

    Filesize

    6.1MB

    MD5

    21506f0849a07db57c7b41d37929fb70

    SHA1

    438e240a2447f71a38234ce07b9a1f54b62763e6

    SHA256

    9cac58351c4032e05c6aa4f3063219e13855d677e8ba35f2ea497548dc0a1f93

    SHA512

    c219a98beee6b71d42789d526581e65dcce0eed3ae2b01c746da9337de66520ea798886b3d239f1d330220a66ae89f6674e62ec3e95bce99bedcf35edfdcee62

  • C:\Users\Admin\AppData\Local\Temp\6a135c2e3ba5e6655ee27bf60a359e53_JaffaCakes118.tmp

    Filesize

    78KB

    MD5

    17314db5f7c540e7f1fff7b95bfe45da

    SHA1

    8e0fad151ac7fd342c08fee90c1032efd74206cd

    SHA256

    d1a09cbc6d215c7aa0448a2cbc1e0eb01b2bdb117920fa4b7feb68a4e97da879

    SHA512

    2587a76ccd79230fb301a367473a3361eee1019b9cceffe433bdc75b943c30c5bbb6d24d3e87e4e3676db412f2658d526219e736a62b0cced13dd31f97f2809b

  • memory/4720-0-0x0000000002790000-0x0000000002791000-memory.dmp

    Filesize

    4KB

  • memory/4720-22-0x0000000000400000-0x00000000024BD000-memory.dmp

    Filesize

    32.7MB

  • memory/4720-24-0x0000000002790000-0x0000000002791000-memory.dmp

    Filesize

    4KB

  • memory/4988-19-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB