Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2024, 17:24

General

  • Target

    708abe50048782def5929bc281362498_JaffaCakes118.exe

  • Size

    77KB

  • MD5

    708abe50048782def5929bc281362498

  • SHA1

    a4bd6a219d317efe3274d84a3f5ea40b84b4ace1

  • SHA256

    3f4f2cf6a2844efece2286897dd5e8feda908b6377f8d6bb25bd8fac84e13e00

  • SHA512

    4e13c6ddfb213486efac01e1c14a1ece20eda2552c0af02a81ce452231d0089bab5c086509593e70c49cbd69d95fe82d8aadce5f8c6817fd8c48c940ad9d427c

  • SSDEEP

    1536:8ujlHwdwzY9FPcVH5P4Zq/Dnr47HrHaL:txm+H5PR/DU7eL

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 23 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\708abe50048782def5929bc281362498_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\708abe50048782def5929bc281362498_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Windows\SysWOW64\Rundll32.exe
      Rundll32 C:\Windows\system32\imppngaa.dll Execute
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Windows\SysWOW64\sc.exe
        sc stop ZhuDongFangYu
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:3180
      • C:\Windows\SysWOW64\sc.exe
        sc delete ZhuDongFangYu
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:4628
      • C:\Windows\SysWOW64\sc.exe
        sc stop 360rp
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:1104
      • C:\Windows\SysWOW64\sc.exe
        sc delete 360rp
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:948
      • C:\Windows\SysWOW64\sc.exe
        sc stop RsRavMon
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2732
      • C:\Windows\SysWOW64\sc.exe
        sc delete RsRavMon
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:1636
      • C:\Windows\SysWOW64\sc.exe
        sc stop McNASvc
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:1764
      • C:\Windows\SysWOW64\sc.exe
        sc delete McNASvc
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:32
      • C:\Windows\SysWOW64\sc.exe
        sc stop MpfService
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:4024
      • C:\Windows\SysWOW64\sc.exe
        sc delete MpfService
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:4508
      • C:\Windows\SysWOW64\sc.exe
        sc stop McProxy
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2740
      • C:\Windows\SysWOW64\sc.exe
        sc delete McProxy
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:3056
      • C:\Windows\SysWOW64\sc.exe
        sc stop McShield
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:492
      • C:\Windows\SysWOW64\sc.exe
        sc delete McShield
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:1652
      • C:\Windows\SysWOW64\sc.exe
        sc stop McODS
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:4164
      • C:\Windows\SysWOW64\sc.exe
        sc delete McODS
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:436
      • C:\Windows\SysWOW64\sc.exe
        sc stop mcmscsvc
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2744
      • C:\Windows\SysWOW64\sc.exe
        sc delete mcmscsvc
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:3840
      • C:\Windows\SysWOW64\sc.exe
        sc stop McSysmon
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:3144
      • C:\Windows\SysWOW64\sc.exe
        sc delete McSysmon
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:3688
      • C:\Windows\SysWOW64\sc.exe
        sc stop ekrn
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:684
      • C:\Windows\SysWOW64\sc.exe
        sc delete ekrn
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2884
      • C:\Windows\SysWOW64\sc.exe
        "C:\Windows\System32\sc.exe" stop PolicyAgent
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:792
    • C:\Windows\SysWOW64\Rundll32.exe
      Rundll32 C:\Windows\system32\ffcrngaa.dll Execute
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\86D3.tmp

    Filesize

    4.3MB

    MD5

    6c7cdd25c2cb0073306eb22aebfc663f

    SHA1

    a1eba8ab49272b9852fe6a543677e8af36271248

    SHA256

    58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

    SHA512

    17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

  • C:\Windows\SysWOW64\ffcrngaa.dll

    Filesize

    8KB

    MD5

    d49e24aaddb6de1d7e04f353197fe210

    SHA1

    439cd17010d7af7acfdae45e83cea09f338a67dc

    SHA256

    660bd04c6abdfd1b385abf4a0c79f9eef1007aa2fcd6f7e53b31a3145a062045

    SHA512

    4079b2afdfd2076ce6931640de70617fc27bcf26d09846de80ff238c312504959a117761f7ccb52ad38914d2392bbac0ac7d3bb8981d55e8d663e00e492a5146

  • C:\Windows\SysWOW64\imppngaa.dll

    Filesize

    26KB

    MD5

    d4e567f4e233ab037c7dc12c924ee5d6

    SHA1

    c9af7da5c7bae85e248f1f80db5d82dc2f3af6d3

    SHA256

    e59a90649bf2c03712aa1cf08c93b50a683e05802465672f2f351765e3fd1556

    SHA512

    ce6e35aa54d428a71746f6a4c38b78273208e0658e1377384c3d5e330c80780dd6770a85dcbf49fc4c08b4f8fbf2933b66b3daa2698c939381ffeb83d9ef2883

  • memory/1520-6-0x0000000001250000-0x0000000001251000-memory.dmp

    Filesize

    4KB

  • memory/1520-43-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB