Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    133s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 15:15

General

  • Target

    ab83de45d1c16a443b1ec4baa184a233_JaffaCakes118.exe

  • Size

    208KB

  • MD5

    ab83de45d1c16a443b1ec4baa184a233

  • SHA1

    78d05f2d0a3543491217be713abb945f694c4cbe

  • SHA256

    0cbab79640d1995356806068a77d58d4980ba18e21d22a775246807cf811330d

  • SHA512

    c93c338029e7ef8cb272a1891630ac238d4a4e52939420d94c2960198756d121c0048930d936926e32cfc4d9314c4d8ac498224ca339f99d6b239f16908d111f

  • SSDEEP

    3072:tChJgYMm4xf9cU9KQ2BxA59SPMpOoin2t:JYMm4xiWKQ2BiCM7

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    onthelinux
  • Password:
    741852abc

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab83de45d1c16a443b1ec4baa184a233_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ab83de45d1c16a443b1ec4baa184a233_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3732
    • C:\Program Files (x86)\7f9d4ab9\jusched.exe
      "C:\Program Files (x86)\7f9d4ab9\jusched.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4276

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\7f9d4ab9\7f9d4ab9

    Filesize

    17B

    MD5

    89931a70501a3362b6823b53523f5a77

    SHA1

    88c7e199c462ed8cc3af0ba453512b5b1fdcfdb5

    SHA256

    d30d9a0e64bc9f4a306617f087f30de6d57a5413793ab7bde13a299777a1b254

    SHA512

    8fa7ab4824ae86f3f47b3718c11f79ef275dd0639396572eaeb1262ad9153ccf43c633a7b292e30c97370436a09f22fbcf817a802015650ffb1f84d2b83483bd

  • C:\Program Files (x86)\7f9d4ab9\jusched.exe

    Filesize

    208KB

    MD5

    b02c89d5a9780664b4fcc0a165b8df6f

    SHA1

    e04f9ba15449910005c4ce820ec49b8288231492

    SHA256

    97ad87acc62a46fed6d58c82f22cb848baefe2f9313456b677a9c4c1839654a4

    SHA512

    5683e7f50e5b8ea7303ea20c7f9430adaf26905f63f01022b453c5c64729637c04c7611d6c888e50323b755ef1519742fddd0371426bfce43c8c78dfc6345ca6