Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    138s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2024, 12:25

General

  • Target

    6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    6f90f6b49e8131b7bac8062fdea5f6e3

  • SHA1

    7f4789e224d1c8890b203e157ff310ca37569f2f

  • SHA256

    c779fe244913901f073f6488ce39a068cd24060b7e15de122c466e49f15cc29f

  • SHA512

    622f850f9996cc0034484c3920a58dccef964be83b4894636496e7d6570e94d0b279afcd2e00c244639c2822e550c46d893e2cdd301a69434eb2e63e368d31c0

  • SSDEEP

    24576:lUMr/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiVNjQ:7/4Qf4pxPctqG8IllnxvdsxZ4UFQ

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 8 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 58 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1432
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1432 CREDAT:17410 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4896
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3856
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4424
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4424 CREDAT:17410 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1632
    • C:\Windows\SysWOW64\Wscript.exe
      "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft143901\b_1401.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\jishu_143901\jishu_143901.exe

    Filesize

    1.0MB

    MD5

    e2590fb7bac27dbfa512820e9139f28b

    SHA1

    209d8d0b77c7a8863a3c68464ce47f6a3f00d454

    SHA256

    4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

    SHA512

    a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

  • C:\Program Files (x86)\soft143901\b_1401.vbs

    Filesize

    226B

    MD5

    f5d581a03eaf0f849013caf6fc331051

    SHA1

    34df3d50820db304a34c11e8dc253af0f9eb3852

    SHA256

    a3c4995a6f382b9809bbcdddaca31f30b96c6fec9c3153cb5bfa62079ffab317

    SHA512

    1dfe1b5aafd2f4f931c8b4ff53f8e3934137e620b93ffc0e6979e94d3ab46c1cb9e4153bf7141b13363460eaad54d270edcde464bff74cf952c4bdbc8d32415e

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{10106987-4A81-11EF-BE68-423954E40A58}.dat

    Filesize

    5KB

    MD5

    8dc80c8c73aebc7e24523f3300d100de

    SHA1

    60f8214d70f49ce8fcbe55fc9c9ecb09175b40a3

    SHA256

    75be84cfd2863382532c72534555eef1d48d864871ae86518a20dfa50cdb911d

    SHA512

    7a6ebe7172ab093eac0b9d60487c332eafd588a4a8294ff1dd94cc6f9489959aba20a8867740dea0ca09242c85bd2b35b9495b33e503e7c94b8b1f2b1676c559

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{10178FF5-4A81-11EF-BE68-423954E40A58}.dat

    Filesize

    3KB

    MD5

    0079d9aa3c5b858801b9aea1ae700960

    SHA1

    ceef16f9da17c37a03c1d1cc8d98a52a8329488b

    SHA256

    4438d618c6a957caa2a96c739c9567911ff12975ff757374fa3f8e6eeec71637

    SHA512

    8b8d8c20f478e8855f846f96faee257364b68f31ad00ca5e80c954cf8c2c90dce8bb03b7424491ef4a008247dbc02c0992317b331c0a4a938ff8252c04822aaf

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verDF83.tmp

    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UEL5ICRL\suggestions[1].en-US

    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\Users\Admin\AppData\Local\Temp\nsd6802.tmp\FindProcDLL.dll

    Filesize

    31KB

    MD5

    83cd62eab980e3d64c131799608c8371

    SHA1

    5b57a6842a154997e31fab573c5754b358f5dd1c

    SHA256

    a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

    SHA512

    91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

  • C:\Users\Admin\AppData\Local\Temp\nsd6802.tmp\NSISdl.dll

    Filesize

    14KB

    MD5

    254f13dfd61c5b7d2119eb2550491e1d

    SHA1

    5083f6804ee3475f3698ab9e68611b0128e22fd6

    SHA256

    fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

    SHA512

    fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7