Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    138s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 05:40

General

  • Target

    772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe

  • Size

    65KB

  • MD5

    772952cfacf381892590ce0ccc4bb384

  • SHA1

    734e0306c531e9ffbf22b60e7c744e04f65fa79f

  • SHA256

    0b36f9990b83338a823f030e12fcd9a866a2cfcb434150d3e59c708a80a88102

  • SHA512

    1bc8e5145a9c5fde67c5df7289b32fee5720b5af7007c3fd5c3287c74c4754812552c2b6cef2ce77582233b8a8a2312975acc5c7687b0694cdec528456912d21

  • SSDEEP

    768:gqipbWxcGn+dNHyIztJT2W/V4EaRS8ZGMhpyNKnoBXzHpBRjG8CkFMRKVytHmDbX:6ScCqrztJi2icNKnoBX7RylHmH

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Windows\SysWOW64\netprofm.exe
      "C:\Windows\system32\netprofm.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\SysWOW64\ngccredprov.exe
        "C:\Windows\system32\ngccredprov.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4492
        • C:\Windows\SysWOW64\wups.exe
          "C:\Windows\system32\wups.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3320
          • C:\Windows\SysWOW64\sensapi.exe
            "C:\Windows\system32\sensapi.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2756
            • C:\Windows\SysWOW64\kbdcr.exe
              "C:\Windows\system32\kbdcr.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2420
              • C:\Windows\SysWOW64\pwrshplugin.exe
                "C:\Windows\system32\pwrshplugin.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3948
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\pwrshplugin.exe"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:824
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 1776
                  8⤵
                  • Program crash
                  PID:1748
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdcr.exe"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2284
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\sensapi.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1532
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wups.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4564
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\ngccredprov.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4752
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\netprofm.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4372
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2368
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1676
      2⤵
      • Program crash
      PID:5076
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4972 -ip 4972
    1⤵
      PID:3912
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3948 -ip 3948
      1⤵
        PID:3996

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\kbdcr.exe

        Filesize

        65KB

        MD5

        6b12079905353565bfe29a749eb7716e

        SHA1

        f9839a23e13d8200e57cdb9f6c1e94fb844a4c49

        SHA256

        20c42d14a0e73ae3808fc1616886350c14613bf328e352e1030ac68e323af0b7

        SHA512

        074c2bdf3f4228b16decf1226fd01e4cb3a074cd49848f0f9304f1989a1c31f15faec7a9e4b7c8eff617ae50717b14873fc88c6309c5f739df8352521bdb2ab1

      • C:\Windows\SysWOW64\netprofm.exe

        Filesize

        65KB

        MD5

        75e16b2c31eece91aad5fa8e8286fed6

        SHA1

        d6b52289d8b27618638422869f5428b1c65e4d46

        SHA256

        b993d6aff29d76684dad23e4b7547bbb7ecb347d09644ce0ca27e05d682b1393

        SHA512

        2c62c380ab057edb5ade68b7cda8680a68be1954e3a8fb124d10d5a16c1bdde31b54856ad866fe8aa005bb835ea2da9799d08d65113f68f6b9e6631dfe1539ab

      • C:\Windows\SysWOW64\ngccredprov.exe

        Filesize

        65KB

        MD5

        3cf4fb568b02a5cff86edd5f4315b573

        SHA1

        caee89129acbbb67ad46150048b2917c74403d60

        SHA256

        7242c1db29fa843c3127938d78515e92a26d03cb5aed6e9c737114b5b3bbca15

        SHA512

        4bb19783918f9ecb3691dbafaae026cff98580074b11065a2e5645f834a772123234fc8139ae452d3cdcd7b36578801f0e8e2d72aaf1f1599c68df62dc2e751e

      • C:\Windows\SysWOW64\pwrshplugin.exe

        Filesize

        65KB

        MD5

        c1bd56c24f249b3f3bda68706cb39d48

        SHA1

        b06682d73bd38cb719efbdb27e432fb0f58409c7

        SHA256

        dacd28a436dd235fb15b4be7628e4fdd0f95210c13b107fd53b865b403a63562

        SHA512

        76b96677e4501534363c52567aa62feea420f068e40f11e9a4c5912d2f0cd20d7f3a40171de3da0ca834cbe30aa6ae495a83fa09046d1091f1eb04815eceba01

      • C:\Windows\SysWOW64\sensapi.exe

        Filesize

        65KB

        MD5

        4917a344edba82df6579de1e409c9ef6

        SHA1

        5ce1b33d04c1117b3922e14d8370a8c2a2aa2607

        SHA256

        4741b75ebb637e5ef67f2b42d25ac56de8c86c67c63a2df5ed76b482bba77381

        SHA512

        8d63e669f2ca811136dfe17740cc2a3451dc1759d2a00779e915a3b11007614ce3e9067d840cbf37dafbe593b33c05e71f9ee696fb26f492aa613b211e8f764d

      • C:\Windows\SysWOW64\wups.exe

        Filesize

        65KB

        MD5

        0e954170b7d0581a7f47ed63b39d6e3c

        SHA1

        530a653beed24a03fff8896d57f92626f73edd1d

        SHA256

        96444036c05f993fee057661ea0faedd07a8cc6f905ae43a62e7bb0551c543b7

        SHA512

        d57ea7a8c7b476a607155c364f67b6ed1b731d7f4e419c2ae32545062ea4f562f0170499973b795d03463b1cd4a7d65c088f9d728d3cc8689bb242b06c7c815b

      • memory/2420-63-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2572-21-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2756-52-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2756-41-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/3320-42-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/3948-62-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/3948-66-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/4492-31-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/4492-20-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/4972-0-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/4972-10-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB