Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 20:53

General

  • Target

    b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe

  • Size

    22KB

  • MD5

    b501aba04c3b15988a4b6c7402b005bb

  • SHA1

    37c735bb479a37db922ee73306ec4d6bbb802c37

  • SHA256

    72c787288d5592cc86f7a6556042a2da1059925682c7c10dd7c05000da453e39

  • SHA512

    4621311fa46dffd24793b568476a5a3041b1e1bc89f3a5e5f8fc8dcd3cf825331b58424d44780c54367b5beb746f87e0e9577125acc97fcb34978f7f27e1ef9b

  • SSDEEP

    384:IDD2TOgvcVuoA19Ai0eVwkxiz7eqoeNM6KMaHVya4eYnq+GpzHtpPKF3:MXuoAzrDqoB4fIpzNpPK

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5464
    • C:\Windows\Fonts\system
      C:\Windows\Fonts\system
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer start page
      • Suspicious behavior: EnumeratesProcesses
      PID:5424
    • C:\Windows\Fonts\alg.exe
      C:\Windows\Fonts\alg.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2356
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:5236
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\DEL.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:6084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Fonts\alg.exe

    Filesize

    5KB

    MD5

    05c250f63cb268896a4dd1f9386ca6cd

    SHA1

    49562782fa486ba07e8e713c6c3ad8eac0a9417a

    SHA256

    f9f250b8a95fe2ad6831a4fc27a10fddca15b6cedcfb3a1c48823f88fdfbf526

    SHA512

    49e41ab0dd01f096b07b1fe95664f3403b429cad14a70befd219e9641b16c2095120347225844e303490ad12b757140a48c1a1d3d7282742ebcde438d5d047be

  • C:\Windows\Fonts\system

    Filesize

    1KB

    MD5

    93e9952ae2d7a02605cb27775c6714c1

    SHA1

    9d994b2f93feebeb2002d726255d3557188a66f4

    SHA256

    e4eb382194c025a1ba434bece51041457bd3f9980a817f7540982cde8c93e751

    SHA512

    41bedcf547f134719676327cfeff324e48a7830df97811a0b9ca332ce04f233e0e50fb53387d340386aa4441eff65a1e6d20d46762bef3c6ecb28cd47ffd16a4

  • C:\Windows\SysWOW64\fuzdsp.dll

    Filesize

    19KB

    MD5

    66f43d666183c55b44fdfe41ce1783e2

    SHA1

    a8b1df0a70ff55fd5463eed24da1c27a58f48e11

    SHA256

    ad3c0db189642952cf4c940a2cc2cacde2025b33f9ad9a10075fd14e255a304c

    SHA512

    5a57f8125b910e79693fde08c3383fb790f0c3cb3a4fa65236fd7e75ae632a881127c010489592343d4d02ae6b6827cc02cee6eea55cccc55a6044b2d7370b2c

  • \??\c:\DEL.bat

    Filesize

    210B

    MD5

    5cca959dd0ede7d95eaf90989090d441

    SHA1

    8bfb333bbbda4b8a1de03edf441c48fcfa65b906

    SHA256

    a4d3dab539b9e0aad2a76de04637fc4cf68fac6a57414f5ecbc197aa1c6bd6df

    SHA512

    db02faad4b95f1ae517220330ec2a14c746ba38a87a1700ce92dac04b03bca6f89e21735b3395a1e3c3ce6834fc3b97e371e0fa254bf71495773258e1f996b09

  • memory/5236-21-0x0000000000590000-0x000000000059A000-memory.dmp

    Filesize

    40KB

  • memory/5236-18-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/5236-20-0x0000000000590000-0x000000000059A000-memory.dmp

    Filesize

    40KB

  • memory/5236-23-0x0000000000590000-0x000000000059A000-memory.dmp

    Filesize

    40KB

  • memory/5236-25-0x0000000000590000-0x000000000059A000-memory.dmp

    Filesize

    40KB

  • memory/5236-27-0x0000000000590000-0x000000000059A000-memory.dmp

    Filesize

    40KB

  • memory/5464-17-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/5464-6-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/5464-0-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB