Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/08/2024, 20:45

General

  • Target

    837fa46ff00e245a0c44bc3cbed6d9d2_JaffaCakes118.exe

  • Size

    79KB

  • MD5

    837fa46ff00e245a0c44bc3cbed6d9d2

  • SHA1

    400c43992d8117a366e324c4679c0d9c811cc909

  • SHA256

    b1d1256ac76f5442c1a5a4948522c73c879fd7b57c1303275fd5fd5b2295b575

  • SHA512

    2d0227bc26baf6cc59f2ce9a9efeb5722fe2c5c28ab257289959add49ad22266beed35c3180182495a53f41da7feee88581f5533f23b8f9750276595fec980ae

  • SSDEEP

    1536:VdzCU+0GptrrZk4Rn4TzTlqW7qx8OJabmGDf/EIpY00EdsVhz02p:VlC2gtrrRnGFqbxaHDf/Ex0Bs7

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\837fa46ff00e245a0c44bc3cbed6d9d2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\837fa46ff00e245a0c44bc3cbed6d9d2_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ykkrpdreg.dll",polmxhat
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5604
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe -s "C:\Users\Admin\AppData\Local\Temp\ykkrpdreg.reg"
        3⤵
        • Sets service image path in registry
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:5628
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\Common Files\Microsoft Shared\ykkrpd.dll",polmxhat
        3⤵
        • Deletes itself
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5684
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 2516
      2⤵
      • Program crash
      PID:5788
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1388 -ip 1388
    1⤵
      PID:5764

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ykkrpd.dll

      Filesize

      71KB

      MD5

      26697f0710476371b6836482b4a6df93

      SHA1

      da52c1a674fd6e1a194f5872f0275f59f9c7a382

      SHA256

      dcbab2c5ef2124e772b9e4806eeff0693c45f278408b23eea84c1dde0816679c

      SHA512

      c1c3b3799e72a8dc1859362aa28c83f570cb65b80823cf18d1157dd4234c8f7c17b5eefecaabb358f2ef469b925b8b01868e222d8df942b5a5fded440f99399b

    • C:\Users\Admin\AppData\Local\Temp\ykkrpdreg.reg

      Filesize

      1KB

      MD5

      604a7cef7ab7406d293d24ade00ba34e

      SHA1

      d630eade60550ca8b5a0cf36df12e634e8ed15b1

      SHA256

      39afe7a98675f4347845a9ae8f8692ace30fdaed30aa434881c8b80d0bd34456

      SHA512

      b704e8efc0961eb40e9613a78b386fd51e8c64d71e7b03335d66bd8ae318da6dffe4803f0aebb0160ea38a06557d8522ea8b70e0e72d5adc3efe60eb526b7af0