Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2024, 17:39

General

  • Target

    a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe

  • Size

    960KB

  • MD5

    a37e2dafe191e2b5032816242f442fee

  • SHA1

    d71d8488eaf31ab93eefd44833f93a32c063f479

  • SHA256

    a828fe824249c9965db6d964a6fbb701f148aada1b56d9a39b58129beb537371

  • SHA512

    de25c76803ebd5296ed06fde3c648168da225150d5bf09766747beee0351b34ffb4e8832f333b46cda0b1ae426175565674e78d6838a6d874eaa748465cec094

  • SSDEEP

    24576:HwU/UwhWvS3u9OvUisQM6GcC1pfnnnDolPNl3HpM5b:HZU8W81vdMcUfnnDIZpMB

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 20 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3208
    • C:\Program Files (x86)\F53304\shdocvw.exe
      "C:\Program Files (x86)\F53304\shdocvw.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4176
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\F53304\runer.bat""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4924
        • C:\Windows\SysWOW64\reg.exe
          reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v shdocvw /t REG_SZ /d " C:\Program Files (x86)\F53304\shdocvw.exe " /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:1964
      • C:\Program Files (x86)\F53304\svchost.exe
        "C:\Program Files (x86)\F53304\svchost.exe" /stealth
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Program Files (x86)\F53304\svchost.exe
          "C:\Program Files (x86)\F53304\svchost.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2344
      • C:\Program Files (x86)\F53304\updater.exe
        "C:\Program Files (x86)\F53304\updater.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\F53304\Svchost.lst

    Filesize

    2KB

    MD5

    9b832a7221a6ea972bd0279ef7f023a6

    SHA1

    d730b041f0f55a8203cd250454ec410fb9b10ac8

    SHA256

    f75a34a8859a42bd79eafd2975d316334cf88c78815692e232d663385d8d95ba

    SHA512

    2315d037498f5a44e7f6124dcb7508294ca66a9900fdf7daeed67d87a6c9c05272bb68192dea057fb47f51b2465cc87b7a39d5b7759abd4bdae3fd46ec31016f

  • C:\Program Files (x86)\F53304\lst.txt

    Filesize

    7KB

    MD5

    5c75256ff15177fadac5c895c962b733

    SHA1

    e90e0c7a8be93e60dc3410157c38d7d3f732b88f

    SHA256

    62f1c6afca91811f41c42ddb85464a4ddf0787793a079a68587c1a0f0b53c5d3

    SHA512

    f2c18915b819fe7d8362a1875a360e36402245eff7e3980f628b0c0a07194378a0c7096e14ffe111bbfe56b46f8cae9c2a1b7993eda08e997da308cd313bf9cb

  • C:\Program Files (x86)\F53304\plugins\Uploading.plg

    Filesize

    35KB

    MD5

    b53aa2d38566d4e21c3c914c2aa650f6

    SHA1

    2d1e2add2c7b0dcc5cb1cc124a4bece34854d11d

    SHA256

    925deb907ac4b6988c3da7acd5a12456bd544d40327ba26d1841ce0d9d4ed1c4

    SHA512

    35d3899d58c4cb8d66566903091a587a32c572bd86da48642b3405218624a2384d3360fc528aeb43f3b77ec1170b16c116be2bf49fe79a7608c59caf81f8c95a

  • C:\Program Files (x86)\F53304\runer.bat

    Filesize

    156B

    MD5

    4e8178e43142a785c4ce9e0a0f071e2e

    SHA1

    b6f6310db8bc31982116d91a3a94cca485b929e0

    SHA256

    93a8384ccc63206556223808850ef24da47cecf6db9c9007a5d891003d9bd805

    SHA512

    ce04af05cfa6ec003d60c19a104c2b2fe85d54b2a8857211973d48defe6cb7b7d4a8767123aa23ef05717bc66cbbb7c4a3c25d81b81b97ac470e72cefede117b

  • C:\Program Files (x86)\F53304\shdocvw.exe

    Filesize

    960KB

    MD5

    a37e2dafe191e2b5032816242f442fee

    SHA1

    d71d8488eaf31ab93eefd44833f93a32c063f479

    SHA256

    a828fe824249c9965db6d964a6fbb701f148aada1b56d9a39b58129beb537371

    SHA512

    de25c76803ebd5296ed06fde3c648168da225150d5bf09766747beee0351b34ffb4e8832f333b46cda0b1ae426175565674e78d6838a6d874eaa748465cec094

  • C:\Program Files (x86)\F53304\svchost.exe

    Filesize

    535KB

    MD5

    57c3d3cd8d2c2863ce09cd1f41836718

    SHA1

    4ad095d123bc76f1082bbc66d20bb8836df712cd

    SHA256

    3932741f0829f9756acd0ef8c549b6b0676f0f61293ea3ce91440370ca8f8dd4

    SHA512

    380788dccd69b8261a47bfe0dc7498ab72e32ba614f534e50de64366c3a7627fcd04f49df590196ad19bb8e1b0d3bb5f1749f3da4029690e2363f1661ebd8f42

  • C:\Program Files (x86)\F53304\svchost.ini

    Filesize

    2KB

    MD5

    27344e37729b1c50c8d3588bbf31aa66

    SHA1

    c67926b3ce609819e58cebd94b988d62cac1d27d

    SHA256

    bd8cf293f2029b692478bc4187f3a3d9dd29210631d66cd83e9d2c4498b165e8

    SHA512

    16e94038b1b26f1908bc6d4d97a862384f3398c5a05127e3d98d91fcd7971f9aa85c0280250221a9e8f63671f9932b323fd899eca07be705aa9a3d481824d5c0

  • C:\Program Files (x86)\F53304\updater.exe

    Filesize

    202KB

    MD5

    fc438aff60f8040bfee7713a4ea2fc5d

    SHA1

    02104d5d1c56897fe1de0f63db35aa9094af533d

    SHA256

    697bd104278f0bc1ae965a3fe415db2d19729ac15bc7f68e826401067537894c

    SHA512

    d2e55a0006e1f35e44124a6911c394849c59c6d4dd6e1dfaa3c9298589186465b88b394c406ab4150ae86d8a61f61329d4bf3879cc81323c19e152e9babe4f17

  • memory/1172-122-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/1656-93-0x0000000000400000-0x000000000057F000-memory.dmp

    Filesize

    1.5MB

  • memory/1656-97-0x0000000002750000-0x0000000002751000-memory.dmp

    Filesize

    4KB

  • memory/1656-105-0x0000000000400000-0x000000000057F000-memory.dmp

    Filesize

    1.5MB

  • memory/2344-125-0x0000000000400000-0x000000000057F000-memory.dmp

    Filesize

    1.5MB

  • memory/2344-115-0x0000000004270000-0x000000000428D000-memory.dmp

    Filesize

    116KB

  • memory/2344-123-0x0000000000400000-0x000000000057F000-memory.dmp

    Filesize

    1.5MB

  • memory/2344-124-0x0000000004270000-0x000000000428D000-memory.dmp

    Filesize

    116KB

  • memory/2344-129-0x0000000000400000-0x000000000057F000-memory.dmp

    Filesize

    1.5MB

  • memory/2344-139-0x0000000000400000-0x000000000057F000-memory.dmp

    Filesize

    1.5MB

  • memory/2344-152-0x0000000004270000-0x000000000428D000-memory.dmp

    Filesize

    116KB

  • memory/3208-6-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/3208-0-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/4176-101-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB