Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/08/2024, 20:17

General

  • Target

    bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe

  • Size

    20KB

  • MD5

    bd02dd4aeb54e99962d72649846388e7

  • SHA1

    45e4bee4b2dfddfab1f8de0b9cdc564617a1b561

  • SHA256

    0e36eb0d6f2b882a23358d5fdd98c812c8139d64bf26a4cee2a2d43b2a43d4f9

  • SHA512

    ff804b2c036b08191e5b157c34ddcb1a0aa57c354b82f7cf65e180f235b1037d03da99be7d5b842733445c6fc0e6f66cd618fd10fe07e26b04ceb92d68b56f1b

  • SSDEEP

    192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBf:1M3PnQoHDCpHf4I4Qwdc0G5KDJZ

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 39 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops desktop.ini file(s) 57 IoCs
  • Drops autorun.inf file 1 TTPs 28 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4744
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:228
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:228 CREDAT:17410 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3492
    • C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Executes dropped EXE
      • Drops autorun.inf file
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4532
      • C:\Windows\AE 0124 BE.exe
        "C:\Windows\AE 0124 BE.exe"
        3⤵
        • Drops file in Drivers directory
        • Manipulates Digital Signatures
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1872
        • C:\Windows\SysWOW64\drivers\winlogon.exe
          "C:\Windows\System32\drivers\winlogon.exe"
          4⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3376
      • C:\Windows\SysWOW64\drivers\winlogon.exe
        "C:\Windows\System32\drivers\winlogon.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2232

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    471B

    MD5

    c7e3b23826b88f278d1e288a4470605e

    SHA1

    57dfb4622f47d230bb3b7de93a1233fe63a371d0

    SHA256

    8a4a36c919799e5e243666866a97a65df2744184d27fb070858e7391b806ace9

    SHA512

    caec881ca9294c6d5d6f35dd502c615459bd86abfc91c6695cff34b17b637d210e7bb456f5311a78cf01d55a76a994c602205bf8d0b4c30302e4ba7bab31e447

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    404B

    MD5

    0ecb2098875ab1db453d3c89dd5200f4

    SHA1

    281cd7558b977b03c5a7459e6ff7e4dda5d0f2a9

    SHA256

    43e378d27b09e8d6d85e92ab1cbf4de87898047be74fe36870e38aa4bd61a66f

    SHA512

    c6af70bddb8a53383725bb69f2916c0c6f6c4c0724f7e11713a9db5a0d5398dba07e86dbea9755cfa332b0add7704e51a6af891aade1e6184f44de08a4cff75b

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8WYVOD7\suggestions[1].en-US

    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\Windows\AE 0124 BE.gif

    Filesize

    20KB

    MD5

    cb6939883139c3e42d3929c5ad9d2835

    SHA1

    837b47e4fb2965f496f615139bb0f977a76f8e72

    SHA256

    7a592adb0f88f8b0e2e02dc63c6d4a1515e2306418c71967284fd40c5b93d98f

    SHA512

    e739ac2a7d1bb3a9fe72fa3f25d56cf9f4e8fdc053a64761dd7cf882228652e74635e3e8a20fe792f6deb7b0c0030bb621ae0af43032c32aa0984ad76c697204

  • C:\Windows\AE 0124 BE.gif

    Filesize

    40KB

    MD5

    e8e58247e82ab01f6b632d8312ef1c98

    SHA1

    c5bc58b2572a0747b8320e094eb45f356619b54a

    SHA256

    1139c2f8ced9d3cc2bb625f50f6f16d2e89aef9680a229e3e2f6b7c680212503

    SHA512

    0dc880625ed703c2ba204b967b77260e45eaa33a44876ea0fdc91c8d72ef7ad66dab2f552ab392e889f1078406a96e236777537d45518f34b54e1eb7592d67d7

  • C:\Windows\Msvbvm60.dll

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • C:\Windows\SysWOW64\drivers\winlogon.exe

    Filesize

    40KB

    MD5

    f825399e1fe984d85e4883b67fc01eee

    SHA1

    ac8e3d8e53482cdb0ed7fceeabb4a3bbc2d1f96f

    SHA256

    651ece11587162fbfbce9005128e320b3f6319310aedbb5721837e74225ed936

    SHA512

    c43ce49bb75a8dbb8397c71420a86b0d0ae05b991fc56a19f9b3139719cab1dd42d65d8a1ea8388d475c039ef847c7a5b85c98d4b6904f2f4278b2f64afa35bc

  • \??\c:\B1uv3nth3x1.diz

    Filesize

    25B

    MD5

    589b6886a49054d03b739309a1de9fcc

    SHA1

    0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

    SHA256

    564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

    SHA512

    4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb