Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 04:50

General

  • Target

    a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe

  • Size

    95KB

  • MD5

    a9a6e3d32934da8a40bb2d9cf4330e5d

  • SHA1

    d670d6307988225505e5d355b8f995aec6dec5d3

  • SHA256

    982173af7432cf1f421272547e88fa2bcec49bd03f1090a2987ed0f5c9d226a5

  • SHA512

    e3b0ce97ee129d5ef13322fe66a08137d250cfe917741ec6c284f5762d05265bb14c7214e3e3455f5bbf0c37dc9221a3372dcac92572ca3a756737389d286a1b

  • SSDEEP

    1536:AWqjQlCaPmJsbc//////mPLaO/MfAmjpebuwcfYHDzv3DkkSq7XD8hDdA2bSCQM1:aECuVbc//////hO/ZopqHDdSqLUDdA2b

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 8 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a9a6e3d32934da8a40bb2d9cf4330e5d_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3792
    • C:\Windows\SysWOW64\net.exe
      net stop "Security Center"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4840
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2392
    • C:\Windows\SysWOW64\net.exe
      net sTOP "wINDOWS fIREWALL/iNTERNET cONNECTION sHARING (ics)"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4996
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 sTOP "wINDOWS fIREWALL/iNTERNET cONNECTION sHARING (ics)"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4268
    • C:\Windows\SysWOW64\NET.exe
      NET STOP sYStem Restore Service
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 STOP sYStem Restore Service
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1472
    • C:\Windows\SysWOW64\sc.exe
      sc config ekrn start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:3540
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ekrn.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1048
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im egui.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2560
    • C:\Windows\SysWOW64\sc.exe
      sc config NOD32kRn start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:696
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im nod32krn.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2216
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im nod32kui.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3504
    • C:\Windows\SysWOW64\net.exe
      net stop "Security Center"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1064
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4532
    • C:\Windows\SysWOW64\net.exe
      net sTOP "wINDOWS fIREWALL/iNTERNET cONNECTION sHARING (ics)"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3456
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 sTOP "wINDOWS fIREWALL/iNTERNET cONNECTION sHARING (ics)"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:428
    • C:\Windows\SysWOW64\NET.exe
      NET STOP sYStem Restore Service
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4148
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 STOP sYStem Restore Service
        3⤵
        • System Location Discovery: System Language Discovery
        PID:708
    • C:\Windows\SysWOW64\sc.exe
      sc config ekrn start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:3328
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ekrn.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2016
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im egui.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3996
    • C:\Windows\SysWOW64\sc.exe
      sc config NOD32kRn start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:4008
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im nod32krn.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1188
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im nod32kui.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3692
    • C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
      C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3248
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del C:\NTDUBECT.EXE
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SETUP.EXE

    Filesize

    29KB

    MD5

    61213073c273df8eb02735d2171bd0c4

    SHA1

    3880c6a20f9bec59a85bc4130149683cec52ddf6

    SHA256

    58d00b39db9e1e0cc17d33e20f2f2e0c87e8ce12c860a22a1c772e170b4894f4

    SHA512

    f226cdbd4bb9f60bfe71fba8456b54cdae64026e0633e49af8a9c0354fdde71d3e42531bd5dabd71ffa8c0a0f36d2c85915c294a2baf50d5d6bd2df36dd97023

  • C:\Users\Admin\AppData\Local\Temp\WowInitcode.dll

    Filesize

    41KB

    MD5

    32e9935a7fb2b750c4432b01b67da483

    SHA1

    5e6b8a0b44a2d605387a6cce090b832ff12ac25e

    SHA256

    3b1aad0ca2b88dd5fa7b1095345c28b46a90fd6ba0a3f0eea3cec25d1b811a4f

    SHA512

    8dbe88e9d4b2d5fb492e99eb642993b63b51ddb489c283ca9b9307968d8282587965c89d653cea0174da2f3eb42e1b81b49b87f6572910b6fa9d618803250793

  • memory/3248-3-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3248-10-0x0000000000500000-0x0000000000514000-memory.dmp

    Filesize

    80KB

  • memory/3248-14-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3248-15-0x0000000000500000-0x0000000000514000-memory.dmp

    Filesize

    80KB

  • memory/3248-41-0x0000000000500000-0x0000000000514000-memory.dmp

    Filesize

    80KB

  • memory/3792-13-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB