Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    138s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/08/2024, 12:26

General

  • Target

    8ebe91c35cef43c0c54e02fe2029972a_JaffaCakes118.exe

  • Size

    160KB

  • MD5

    8ebe91c35cef43c0c54e02fe2029972a

  • SHA1

    4327bcd62bcc7eed8db3565cd17fb21b2e6548df

  • SHA256

    1a87da4a149ce9ab69b67000e6855182f4f1eede9864bad925eab6a85d13ff1e

  • SHA512

    840f05a1d6ea611f538bc4dec7450b694793d0809ebe19f1affe1f78ca354f09bf97bd2e01a54aa1f0b0343f90a76c67fdf85e6a2d26c9709e9cab713851b5fe

  • SSDEEP

    1536:aygV/7HPS70fbFkFRPxF6wDLJKIKgyg9bWGsXI4EshcEq:aygtjPO0BYnfLJKIKgyg9YFHxq

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
    • C:\Users\Admin\AppData\Local\Temp\8ebe91c35cef43c0c54e02fe2029972a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\8ebe91c35cef43c0c54e02fe2029972a_JaffaCakes118.exe"
      1⤵
      • Checks computer location settings
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\SysWOW64\regperf.exe
        C:\Windows\system32\regperf.exe
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3332
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\8EBE91~1.EXE > nul
        2⤵
        • System Location Discovery: System Language Discovery
        PID:3480

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\regperf.exe

      Filesize

      68KB

      MD5

      710abb30c0459811648ec7399914a169

      SHA1

      53eeddb90c5333c19e819e27c8c9f8ff09acb6dc

      SHA256

      3698a5f489b56844ccbaa50a632eda896ac5563b6c0a7156e3561acdfe5cf274

      SHA512

      69499f4e38b5c56d6eff6a16af24a34bd7ab5bcdbd7278f2a84fc76a98316e7081d037f9e189a0c9f3127919f45b5d3f21b320703c034e689e991051fdf44b1a