Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/08/2024, 23:50

General

  • Target

    82394930e7babddd90b8eee3610e31e1_JaffaCakes118.exe

  • Size

    121KB

  • MD5

    82394930e7babddd90b8eee3610e31e1

  • SHA1

    1edd69f96c7ffcf818abb95aa5903a71bac60b12

  • SHA256

    875b0094f5ed75e2c85bdce3c5d4e18116dc788ba156febf5f903072294e383b

  • SHA512

    45082d41b76a2d3f8f2a6c99ecfec951087a0be69201a1bf2956b880c6393f071071fb2705ea9faf7df50c5574d6f4034ea5b64d6496ef4e79af856a464d039e

  • SSDEEP

    1536:thivqRTLZQVgiVQXmxFsEtE890oiSSPjewOYlk15Ds+8yH2W3YtGVfBSBz12rCfH:/kie2Otg84SSPLOz8i2QY8Vfs7jz

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82394930e7babddd90b8eee3610e31e1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\82394930e7babddd90b8eee3610e31e1_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3652
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ser.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\805A1.EXE
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\805A1.EXE"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\SysWOW64\WinHe805.exe
          "C:\Windows\system32\WinHe805.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3332
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WinHe805.exe > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1176
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\RarSFX0\805A1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3992
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\802A3.EXE
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\802A3.EXE"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2912
        • C:\Windows\SysWOW64\WinHe802.exe
          "C:\Windows\system32\WinHe802.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4484
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WinHe802.exe > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1968
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\RarSFX0\802A3.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4164
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\806KK.EXE
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\806KK.EXE"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Windows\SysWOW64\WinHe806.exe
          "C:\Windows\system32\WinHe806.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3980
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WinHe806.exe > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2076
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\RarSFX0\806KK.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\802A3.EXE

    Filesize

    40KB

    MD5

    8175d021359c94196f0889aa9751cbf2

    SHA1

    df866ef3e1ebd3936bf67f434ced3451ddd07283

    SHA256

    f8f32c7ff3651be6da9e2ba6e4e895f80d3fa972a7ad19c5fef6aafc228dc4c7

    SHA512

    1aae29e9c325480094eb278b0383620addad5ab6c4c1e1b48f73562450fcb146a534176e68e896fc5b0c5ce479a07e3797c673d002a0dbed6f629988304c2d2f

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\805A1.EXE

    Filesize

    42KB

    MD5

    adf3af6efb99d70ce9ddeef765e32f4f

    SHA1

    b14d8d1cb165a51bea1f3fb1597df7001e5df3db

    SHA256

    f67b8e3c10acbdf85daacbab9d9ca27cec50a222ec1fcdb404b6e5fb35656b73

    SHA512

    803e11a3f4bf87e552e612ba1379ed0a5c8002ce091c38176d8494b5818f412484d9a0b79119dce4a05b064e14dabcf3eb4a188183308e36c9aa57d38e279cad

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\806KK.EXE

    Filesize

    40KB

    MD5

    8d830b845e143464d3222f4e9c631faf

    SHA1

    19285c840aceacf5b1db3da138974f4a7ca5199e

    SHA256

    a7f1740fc4f5b8206e03e7043e6cc94513088aed616af26cdde09bf102a56827

    SHA512

    df15902c3c6f66c6a8f916d66607ea58d58e9aa5cbb1f5611dc7ad01257ce3dde29deac3d77645e1afe177657cf242d93d2eb2bcb17b37d1fd3e05bf4799e13c

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ser.vbs

    Filesize

    145B

    MD5

    ff83350d9c17514336796a4da3906d0b

    SHA1

    e8bb59b46e6dd6cb8698c50ad6d64b6c97cf9c6e

    SHA256

    b73bdf9cd15784ee801973306e40e9e43c143e642064423fc93f65cc0d1e661d

    SHA512

    261c8e81e8026723d0f662acbe6a92735c38e5ac6559cc671f1bd0d85400e4e1f274bd22ded5b67f394f569a1f8207071960e52bba7bc092b942a51f1ede3698

  • C:\Windows\SysWOW64\WinHe802.exe

    Filesize

    12.3MB

    MD5

    8098b3e660cb6d7cf9939a1e2ed92eb1

    SHA1

    3e7d9e2a56447a89d91aa384354b5ab6982c41cc

    SHA256

    3ac5b37c5a89432dc637acacf6db96f46c7592fe9b3c9f7aba464176d830db9e

    SHA512

    cd52760e7b56327833bd05ff035f3656c4b38301a6b9e99043b9e40c4904b17391bb6b47acdf82d059b243e62b08e8199d654f45d1889d2d0fc09922989fc3e6

  • C:\Windows\SysWOW64\WinHe805.exe

    Filesize

    12.3MB

    MD5

    9c6f0423c91a3684a81c390be469a9d5

    SHA1

    9207c85669033450a54cecce3694769b17e6b7d4

    SHA256

    edb4dda1e5980695102fa167c750bfbd9945f244a7e759bdf29dbbc1900cb1d9

    SHA512

    83a894ad8ba6b79deb74d0e1fe768fef9c914522a8e8d8f73c288ddd6b1e0364bf211114687a4909416a29373a63b43173f1cdd02490f6ffc002e2be270d65b6

  • C:\Windows\SysWOW64\WinHe806.exe

    Filesize

    12.3MB

    MD5

    fa9f077724d37d39cd114c4e76d34b79

    SHA1

    92c870e8bd3e33cbf9d858d938812cab3d10c9fc

    SHA256

    09a3c279bb78d8e3d923518adcdb3477c4e6041034fc810da1af799a90d246b4

    SHA512

    1a69ddcca99cab99a4c4f17e1c5282500a8f8e385738fdec1d113ce452f95b219c2292e476fa24bf2542f91db9c074e2412c45101d07b2d8522e33aeca269239

  • memory/2184-64-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/2184-24-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/2724-14-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2724-66-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2912-21-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/2912-46-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/3332-67-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/3332-65-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/3652-0-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/3652-68-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/3980-63-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4484-45-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4484-44-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB