47fb6c735ea41d70c4a9a806f85abf6ce68d49faf2059fc284ee270f3333bbb9

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a3e998833fd8b0185b5152b0a68b93b_JaffaCakes118.exe
Size

156KB
MD5

8a3e998833fd8b0185b5152b0a68b93b
SHA1

66e23b39b748452a81f6f81b0846b19dd29e3049
SHA256

47fb6c735ea41d70c4a9a806f85abf6ce68d49faf2059fc284ee270f3333bbb9
SHA512

f6fd173ef7098e6cd1ca59de45e9b7b1aab4e85ed5fd59a5b162726068a732a63d931a33fa2dcc9cbf10be694b5db76c93300bdcdc9f7ab0353dd589c656759c
SSDEEP

3072:FJKjp4Hg29j1MDNXBEmhxAxTohTMg7yFGlKkTJrcDuG:qogGxMDNxxhaaimKl

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
768	Triria.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\TBXQRHV4KR = "C:\\Windows\\Triria.exe"	Triria.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Triria.exe	8a3e998833fd8b0185b5152b0a68b93b_JaffaCakes118.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	8a3e998833fd8b0185b5152b0a68b93b_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	8a3e998833fd8b0185b5152b0a68b93b_JaffaCakes118.exe
File created	C:\Windows\Triria.exe	8a3e998833fd8b0185b5152b0a68b93b_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a3e998833fd8b0185b5152b0a68b93b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Triria.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	8a3e998833fd8b0185b5152b0a68b93b_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Triria.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	Triria.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\International	Triria.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe
768	Triria.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2604	8a3e998833fd8b0185b5152b0a68b93b_JaffaCakes118.exe
768	Triria.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 768	2604	8a3e998833fd8b0185b5152b0a68b93b_JaffaCakes118.exe	31
PID 2604 wrote to memory of 768	2604	8a3e998833fd8b0185b5152b0a68b93b_JaffaCakes118.exe	31
PID 2604 wrote to memory of 768	2604	8a3e998833fd8b0185b5152b0a68b93b_JaffaCakes118.exe	31
PID 2604 wrote to memory of 768	2604	8a3e998833fd8b0185b5152b0a68b93b_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\8a3e998833fd8b0185b5152b0a68b93b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8a3e998833fd8b0185b5152b0a68b93b_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\Triria.exe
  C:\Windows\Triria.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job

Filesize
372B

MD5
d9a045b027c3ac2bd6f5b962687f875c

SHA1
f69e8a9df394c7fcc577ef76ab11eb1a6a93fb11

SHA256
6131a1e71fd6d980030d40cf0dd3858d0f90e133c102a549aedf17d03a9f097f

SHA512
dd639f82a14ea3e55fb2c81756028ab87cbb6faea0a4cb40e70d1c2adfe34e267bc91e1e67b59efb48bcfff82e65ab3154ab32aeede74add05d6903a13485213

Download Submit
C:\Windows\Triria.exe

Filesize
156KB

MD5
8a3e998833fd8b0185b5152b0a68b93b

SHA1
66e23b39b748452a81f6f81b0846b19dd29e3049

SHA256
47fb6c735ea41d70c4a9a806f85abf6ce68d49faf2059fc284ee270f3333bbb9

SHA512
f6fd173ef7098e6cd1ca59de45e9b7b1aab4e85ed5fd59a5b162726068a732a63d931a33fa2dcc9cbf10be694b5db76c93300bdcdc9f7ab0353dd589c656759c

Download Submit
memory/768-52773-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/768-52776-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/768-52783-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/768-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/768-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/768-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/768-52782-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/768-52778-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/768-52771-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/768-52775-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/768-52774-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2604-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2604-52772-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2604-1-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2604-38978-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2604-2-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2604-9-0x00000000006A0000-0x00000000006D9000-memory.dmp

Filesize
228KB

Download