Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    135s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/08/2024, 17:42

General

  • Target

    b03323beac9d9f5e1bea9df445ec3aa7_JaffaCakes118.exe

  • Size

    15KB

  • MD5

    b03323beac9d9f5e1bea9df445ec3aa7

  • SHA1

    9cad6930b8d04a71255828fbf0223d20e6068fa2

  • SHA256

    f2c596b2327609ddf8faefcadfc5b5aba0968a648c1bbfb420344c5361d64f6b

  • SHA512

    bcd9fb55f6601dcf38017ffb9b40362071d47143989d7f63a65a4efc20f04a91be5dcdb5f9692a297d6ec3eaf050841a1d5964abfde95d4a6f72f56e33b42e3b

  • SSDEEP

    384:mTW/W75+GOuMmmV768YVkG+/+vJxmHd/RVdrP:xN0t9+/3RTD

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b03323beac9d9f5e1bea9df445ec3aa7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b03323beac9d9f5e1bea9df445ec3aa7_JaffaCakes118.exe"
    1⤵
    • Sets service image path in registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4280
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\system32\delme.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:516
  • C:\Windows\SysWOW64\45CFC2D2.EXE
    C:\Windows\SysWOW64\45CFC2D2.EXE -k
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:1052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\45CFC2D2.EXE

    Filesize

    15KB

    MD5

    b03323beac9d9f5e1bea9df445ec3aa7

    SHA1

    9cad6930b8d04a71255828fbf0223d20e6068fa2

    SHA256

    f2c596b2327609ddf8faefcadfc5b5aba0968a648c1bbfb420344c5361d64f6b

    SHA512

    bcd9fb55f6601dcf38017ffb9b40362071d47143989d7f63a65a4efc20f04a91be5dcdb5f9692a297d6ec3eaf050841a1d5964abfde95d4a6f72f56e33b42e3b

  • C:\Windows\SysWOW64\delme.bat

    Filesize

    239B

    MD5

    805f091908cbc6bf1cf47a059dca7bd8

    SHA1

    fbdf88ec4eb4b016f86f9804dc93e67d8b0cba86

    SHA256

    982abac4f20de3cd18fb68c6d194b0e68569cec1a0318ae6595c8532150bf7de

    SHA512

    8d0d7ca654c83933b06bdde9f7a54757b3b4a2992b4e2318981d1b9aa0b5ae8f3a010aabbe895290f6b350101151d85b98c2f6e6704c571400727741d95a39b7

  • memory/1052-5-0x0000000000570000-0x0000000000571000-memory.dmp

    Filesize

    4KB

  • memory/1052-11-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/4280-0-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/4280-1-0x00000000006B0000-0x00000000006B1000-memory.dmp

    Filesize

    4KB

  • memory/4280-9-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB