Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/08/2024, 09:39

General

  • Target

    859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe

  • Size

    109KB

  • MD5

    859c3f171bcb3ed7d10007ec71f98082

  • SHA1

    b02a91d37762e485e02284ad13040522ea41471c

  • SHA256

    295f9b09881e8d978bc84aaebb18daa0a79f047d013921e9119d361fe4b5443d

  • SHA512

    9bff308eb1ad3e01d4d95bda21f8018398ccafd9d6f6c1d9b209f77a0598f84b2245870184dac8a2278c34f97af38c9d8e36506ae552b29baecc6a84a7e34391

  • SSDEEP

    3072:08jQ/bYnmYQus2HoUqrdT1x/QaiAjnLq845OKzNm:0IQ/b4nqbdB9Xnt45VRm

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\SysWOW64\inf\svchosts.exe
      "C:\Windows\system32\inf\svchosts.exe" C:\Windows\system32\lwfdfia16_080521.dll tanlt88
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3604
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2132
        • C:\Windows\system\sgcxcxxaspf080521.exe
          "C:\Windows\system\sgcxcxxaspf080521.exe" i
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4468
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4060
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4060 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1CTRFUW\suggestions[1].en-US

    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\Windows\SysWOW64\inf\svchosts.exe

    Filesize

    60KB

    MD5

    889b99c52a60dd49227c5e485a016679

    SHA1

    8fa889e456aa646a4d0a4349977430ce5fa5e2d7

    SHA256

    6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

    SHA512

    08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

  • C:\Windows\SysWOW64\lwfdfia16_080521.dll

    Filesize

    30KB

    MD5

    545b50208a7058cbf817f692abf5e7ee

    SHA1

    e1cf5613dee8bb51102a0c0da99bf515db2c96ff

    SHA256

    329ae4cdebde953f989ebb0a7a815e9eeaf0f5b780cfaa6f4f37aeb8ae7194fe

    SHA512

    c17cc9d3d69b43fd9cba1465eecc637eba4dd2396cee488be26adb35d93d5926358bc782db75aef1d262094181a9a863f9cc1025a3a7b3c161b76fe3d41149a4

  • C:\Windows\SysWOW64\mdccasys32_080521.dll

    Filesize

    218KB

    MD5

    b64ce329b1243662ee34c2b15ee00aff

    SHA1

    a7b4fc826fb785ca8c1be74f665a7204c848b300

    SHA256

    17353a78a579784ad3194e3d19ca10ad8cbbb2f39bc7651f5f3e264932694a31

    SHA512

    ccaa27d3db61a8976f43439891afb27695982752cc1bccf5173300584e45a785191f9d991c26e2570acfe08550cc45168301200bc5a76803aad7847e2d8ce8b1

  • C:\Windows\System\sgcxcxxaspf080521.exe

    Filesize

    109KB

    MD5

    859c3f171bcb3ed7d10007ec71f98082

    SHA1

    b02a91d37762e485e02284ad13040522ea41471c

    SHA256

    295f9b09881e8d978bc84aaebb18daa0a79f047d013921e9119d361fe4b5443d

    SHA512

    9bff308eb1ad3e01d4d95bda21f8018398ccafd9d6f6c1d9b209f77a0598f84b2245870184dac8a2278c34f97af38c9d8e36506ae552b29baecc6a84a7e34391

  • C:\Windows\pwisys.ini

    Filesize

    46B

    MD5

    02a44daab973d76f4d098b09bb769341

    SHA1

    f08c38e8f4204154b5e0abd563e52eb8ac18daba

    SHA256

    7c0b825425cd7bf72504488463b492b9c8531ea796988fcf7f7f5868a2293f73

    SHA512

    1320a0f8fbd6ee431a636d932994d53a6253ce9ba8847d0efd7c99f3e2817d2f5edba39cdd6a5fcf7e94938ad0933a2b3eb951a24836efec01fb8a4dc5558d90

  • C:\Windows\pwisys.ini

    Filesize

    462B

    MD5

    e4a597ac6a528195d251d510df8bf71a

    SHA1

    76a5b62d6b91e31d813cd62d2119430f3fbe55a0

    SHA256

    37dac674fe56c07abad128bc012f3c3376e530b851a00ff482188d6ca5ff474a

    SHA512

    2f5ae4438c38186f3abb996325cae79c3abe7208807a8308f716213f73d1c0c70746db623d2c644e9535759f1c5519fb26279700722f6e2b35bf0163f5eaba87

  • C:\Windows\pwisys.ini

    Filesize

    378B

    MD5

    abbaa9a765414a0fdc24dbe9ce532f40

    SHA1

    bfe805d6ddf84697841ec4755c82c7e9e93f3d24

    SHA256

    2ef297d5f1d5fc24ab4a4bddedf70e40392a0482f36655599aeabb2a1c142b1c

    SHA512

    11f82c93d9a40bff0567dbda7abce71c9d691c27e9fcb754b1389ee97a73915bf364e2948038e2bfe0cab5a3881837ba336ecfdec6399027f852edc20f04c6b1

  • C:\Windows\pwisys.ini

    Filesize

    406B

    MD5

    3bde21d9225f08f610849475259a2ad0

    SHA1

    c5924b016d75c7e55dc9162a7a067268e80be0ab

    SHA256

    4838d22a50bc7f72121943a280852048e50d04e7e6af7d1a23586125a4d02860

    SHA512

    57a1defff7079ed624619e48fe8a3c2564e6d8a99eff0f965c05f246cbd957266a3725ee851b4a360dc6761aca499bd376126c7c649db4cf2c7e4b9b46c11988

  • C:\Windows\pwisys.ini

    Filesize

    412B

    MD5

    33f58ad13eb73a2db5f5742c1abdec6f

    SHA1

    95d0b31201ca35e38cac6d72ca948ff570849c42

    SHA256

    508da3348f05bcc4023b176828f985553a36411b9b722fbc1fa53b70ce3c78d1

    SHA512

    41d408242301fa7dfa011bbd2c49dadb83cddc690658bad68bb3a1d1c247891ffc73362536628a49e384be9a3303c99956c51acb23af3981af28aaa531e80e12

  • C:\Windows\pwisys.ini

    Filesize

    445B

    MD5

    31455763d54417b06d02539065e0bd4b

    SHA1

    575d9e0ec77264f5d38d5d2b1aa268b4bf75cd60

    SHA256

    c355f3d72c07223261bdb91f4e4b6231ee02ea253909c60320cf42e95a40af92

    SHA512

    e2f85bc5a4d21bd215703ef64bc93243f351dfbe554a0db1140d96d79ac9ea93c03a1d3dbb858a4e5c5b4c6e428fcbf6b558f8ed8eff75638de7899c3d522394

  • C:\Windows\pwisys.ini

    Filesize

    472B

    MD5

    ba68736bb091dfa427efa5dd6185087d

    SHA1

    57ab795d4cc4997dbbda06d19e9425b57b1c16e4

    SHA256

    05501ed09119326c1f79664d8d19bea3f796945b55426a864af3d55b8940ee2d

    SHA512

    ceecf9600f260b02394e04b54f9f4e42dc718bcf300a22c2a7dcb9d1c6b18191cfbc5d512bde67e05cf5dea4ac5c3d4501649bfaba892002a904354376fbce08

  • \??\c:\mylstecj.bat

    Filesize

    53B

    MD5

    a030a092e0004463d8277d9a7f5aa38a

    SHA1

    544bd23833a144c2bb965b494253aedf2a78f27c

    SHA256

    09973710a0dbef6e906db4dfa88b531ff2abe02a3af84b37adfb9e0c387a52e9

    SHA512

    c3306df79ab7820046a9144e7949fb6a5da56f1ca900f89fd1f6ab8f477b24b8364ed01f98f75ea0c14de35a380314aeb9f840b5e4eef77cf6c48a223a31bb47

  • memory/3604-72-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/3604-64-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/3604-85-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/3604-108-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/3604-109-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB