Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2024, 17:18

General

  • Target

    a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe

  • Size

    77KB

  • MD5

    a36e54cd1cc3d386f74fa3c8ccdaa71b

  • SHA1

    875819d86f5f6f3c086b63b32fc973e0b60f897d

  • SHA256

    5137432a6375cb9052c13df3eaf2a310a2a419f2a03b800f692d5102de38e0b4

  • SHA512

    88cc3970c2a682e39ab61597aa95bff9a38ee662daed10a0c63844060f6ba88ec952d088d9586c753d74620d24d8de6012a9b51459b09016bee8c7e00244501f

  • SSDEEP

    1536:E4j/n/LaHhf7P+ifYQBS0746W9N6Gjb7c2KXls20mRuYW8x+j:ljvjx3FKlluYWE+j

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\SysWOW64\msiconf.exe
      C:\Windows\system32\msiconf.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:2524
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A36E54~1.EXE >> nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2196
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2980
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4924 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4940
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1056 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1136

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Thumbs.db

    Filesize

    14B

    MD5

    7fdf22ea47b6439bff8c6577db2d5f2f

    SHA1

    742940d7eabbf4ef6d6b2fd61750f14474d41f3b

    SHA256

    9b7e80ae7887e2b78defc5d77d27d38e2420ecdb8581e1633194a99a8735fec0

    SHA512

    49ad17bf2d37efb10e86993a771d6fc146be4dc6304fda0aceae45c6d11c72a1589756f4220cbca7e83ee04e7930129df00b1dfc53370dde01f9932ec78145d9

  • C:\Windows\SysWOW64\msiconf.exe

    Filesize

    77KB

    MD5

    a36e54cd1cc3d386f74fa3c8ccdaa71b

    SHA1

    875819d86f5f6f3c086b63b32fc973e0b60f897d

    SHA256

    5137432a6375cb9052c13df3eaf2a310a2a419f2a03b800f692d5102de38e0b4

    SHA512

    88cc3970c2a682e39ab61597aa95bff9a38ee662daed10a0c63844060f6ba88ec952d088d9586c753d74620d24d8de6012a9b51459b09016bee8c7e00244501f

  • memory/1048-0-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

  • memory/1048-2-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

  • memory/1048-1-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

  • memory/1048-12-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

  • memory/2524-13-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

  • memory/2524-16-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

  • memory/2524-31-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

  • memory/2524-35-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

  • memory/2524-57-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB