Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    136s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 05:59

General

  • Target

    a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe

  • Size

    24KB

  • MD5

    a9db6c03c9ddf1ca0308c40781c11f43

  • SHA1

    68cf505a3e033a3b863fe52b16fea2cf6347aa16

  • SHA256

    bf0b459c3c9d8a26636157fb8b9c693df0b75f7ded288ebafe8d6374853176fa

  • SHA512

    86562dd907d42da3c422ab7230f298bab68fe35669e828782b97e66a2d23a07fc41906fdf4d780443c5f5803067f6dae4a21ed6081cb67234b022e47dcabb2bd

  • SSDEEP

    192:teOtaGSJAeBqaVKwlf3e4gbZdH0dHRdHwdHPH1SdHB18GZCju11K7kvBPOnT3Uvb:MMGPVx3ehVqrmuJk2VvBR

Malware Config

Signatures

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 8 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 42 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe"
    1⤵
    • Event Triggered Execution: Image File Execution Options Injection
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:4616
    • C:\Windows\LSFPRN.EXE
      "C:\Windows\LSFPRN.EXE"
      2⤵
      • Event Triggered Execution: Image File Execution Options Injection
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe" C:\Windows\iexplore.htm
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:116
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Windows\iexplore.htm
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2340
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\LSFPRN.EXE

    Filesize

    24KB

    MD5

    a9db6c03c9ddf1ca0308c40781c11f43

    SHA1

    68cf505a3e033a3b863fe52b16fea2cf6347aa16

    SHA256

    bf0b459c3c9d8a26636157fb8b9c693df0b75f7ded288ebafe8d6374853176fa

    SHA512

    86562dd907d42da3c422ab7230f298bab68fe35669e828782b97e66a2d23a07fc41906fdf4d780443c5f5803067f6dae4a21ed6081cb67234b022e47dcabb2bd

  • C:\Windows\SysWOW64\44upd.dll

    Filesize

    256B

    MD5

    7fc27f0eb3c1ab6ef579f4ef0ac12774

    SHA1

    d04c43eb42a01467e1bb8996de0160e959d50079

    SHA256

    a0aca3e8c478cbe4fd866047007bab97099b03512841c67fd139df62e47d6f02

    SHA512

    c7706b6ea625da5aa968f4be791127e1faea3a00f458052210158d685666241bc15175b55d14f569493026e7cdb8c36d0892e284e426125e45c9b77abed89379

  • C:\Windows\iexplore.htm

    Filesize

    1KB

    MD5

    1d47e608ba041a2325a1eab479180bf4

    SHA1

    7316d2d1a0fc1ccd6d1d4530db63ca55167c16c0

    SHA256

    843ad1039e884b2dc398b7db77ea920e7853b8490bf2960dbf14882729435899

    SHA512

    3fae7d2409d8a2cad5f0370ac93a373d874d5a83d9692fb10012e4d587f9e77c1c25cfc55a2b18d39308ca734b385abe48f28411aa197126b8ed4b6264b35e15