Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2024, 18:24

General

  • Target

    c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe

  • Size

    230KB

  • MD5

    c14f5b189d2cada501dbba93c2953f48

  • SHA1

    d9f5f353e4dc2edee709654fba417f07c520e883

  • SHA256

    a6a49ca55953f5563187b739b9700374742c2e7abeeb3d3340327f3dfaec5ed9

  • SHA512

    bdb771eed27daa2691e16af631237a3db93027679969dcb3e158e705ab7d0ee074e462854dbdd21960780445e424a581d052420622b166c535426a7231910972

  • SSDEEP

    6144:i8e87uZW93Xa5AjW84WRbU2gia/7mW2K1KRD2GWys6v:/e87uoKM4W3gNCWxgRD0ynv

Score
3/10

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4320
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k cacls "C:\Arquivos de programas\Alwil Software" /E /T /R Usuários
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4212
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Arquivos de programas\Alwil Software" /E /T /R Usuários
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4028
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k cacls "C:\Arquivos de programas\Alwil Software" /E /T /R Administradores
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2328
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Arquivos de programas\Alwil Software" /E /T /R Administradores
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2196
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k cacls "C:\Arquivos de programas\Alwil Software" /E /T /R SYSTEM
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Arquivos de programas\Alwil Software" /E /T /R SYSTEM
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4648
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k cacls "C:\Arquivos de programas\AVAST Software" /E /T /R Usuários
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Arquivos de programas\AVAST Software" /E /T /R Usuários
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1648
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k cacls "C:\Arquivos de programas\AVAST Software" /E /T /R Administradores
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1980
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Arquivos de programas\AVAST Software" /E /T /R Administradores
        3⤵
        • System Location Discovery: System Language Discovery
        PID:860
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k cacls "C:\Arquivos de programas\AVAST Software" /E /T /R SYSTEM
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Arquivos de programas\AVAST Software" /E /T /R SYSTEM
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2800
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k cacls "C:\Program Files\Alwil Software" /E /R SISTEMA
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3872
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Program Files\Alwil Software" /E /R SISTEMA
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4168
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k cacls "C:\Program Files\Alwil Software" /E /R Usuários
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2084
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Program Files\Alwil Software" /E /R Usuários
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3228
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k cacls "C:\Program Files\Alwil Software" /E /R Administradores
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1000
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Program Files\Alwil Software" /E /R Administradores
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4676
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k cacls "C:\Program Files (x86)\Alwil Software" /E /R SISTEMA
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Program Files (x86)\Alwil Software" /E /R SISTEMA
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4716
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k cacls "C:\Program Files (x86)\Alwil Software" /E /R Usuários
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1104
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Program Files (x86)\Alwil Software" /E /R Usuários
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1640
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k cacls "C:\Program Files (x86)\Alwil Software" /E /R Administradores
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3772
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Program Files (x86)\Alwil Software" /E /R Administradores
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2420
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k cacls "C:\Program Files\AVAST Software" /E /R SISTEMA
      2⤵
      • System Location Discovery: System Language Discovery
      PID:548
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Program Files\AVAST Software" /E /R SISTEMA
        3⤵
        • System Location Discovery: System Language Discovery
        PID:428
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k cacls "C:\Program Files\AVAST Software" /E /R Usuários
      2⤵
      • System Location Discovery: System Language Discovery
      PID:408
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Program Files\AVAST Software" /E /R Usuários
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4732
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k cacls "C:\Program Files\AVAST Software" /E /R Administradores
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Program Files\AVAST Software" /E /R Administradores
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4320-0-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/4320-1-0x00000000001E0000-0x00000000001E8000-memory.dmp

    Filesize

    32KB

  • memory/4320-2-0x00000000022F0000-0x00000000022F1000-memory.dmp

    Filesize

    4KB

  • memory/4320-3-0x00000000001E0000-0x00000000001E8000-memory.dmp

    Filesize

    32KB

  • memory/4320-5-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB