Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 08:50

General

  • Target

    cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe

  • Size

    105KB

  • MD5

    cf2698bbd827384c2d80ce7260730dfa

  • SHA1

    b2dfbb6eb14761517c0376fea844e3e898b4fe05

  • SHA256

    6c74a34552008d0fad98199544cfe3463ae4b783969997206c9503d826006f37

  • SHA512

    4caec1ea40b13e412b74d9ac5f8147fc16b20eb554f457723fc97539b870cb38c750b2125bea19b238a07ab49a44b7394d4a5ad9a6f8d341162c6a4a61d7625a

  • SSDEEP

    3072:3ZlsN/vCtko2SYgnZoRHdrHx5GXBwLWNI3:JlsNJo2ShZoldrPGXB5I3

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Users\Admin\AppData\Local\Temp\GB4BA-tmp.exe
      C:\Users\Admin\AppData\Local\Temp\GB4BA-tmp.exe http://creatonsoft.com/drv32.data "C:\Users\Admin\AppData\Local\Temp\GB4BB-tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4680
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\tmp.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\68XY2BI1\TZY6DJJ6.htm

    Filesize

    1.6MB

    MD5

    e8c0f02e2fe5af6159590d245178cb15

    SHA1

    f890f9721f87fc0e83eba14546fe0232b872dc4f

    SHA256

    393646c4038c1431b332041e68a94a1e085f249b6f0b856d7fbd163c09295e16

    SHA512

    352fc9cfb3aa2636391eb5ec5577ea5fafd3a37af20a781846fa7db5566196b3ad0e7fdd33ffab56949009f9f712d0e3377c47644e71f2186a28deb8cf077033

  • C:\Users\Admin\AppData\Local\Temp\GB4BA-tmp

    Filesize

    149KB

    MD5

    b433088a544ac4f2307108af859da646

    SHA1

    9ef08188ba1a20d2f0cb5a76435de75a11a57c14

    SHA256

    315ae503e54fc45b70f2c0c2567a9f40144f2ac0555f43be3e5106d2ca4da277

    SHA512

    db44bc16d5a97f9df662881070e32dcedf92d40658d42c6fd8b3efe26217100e4ca2b743c5243fd5ac81e98873cf7acad039d6b7de12ed9d13ee2df399166e3e

  • C:\tmp.bat

    Filesize

    50B

    MD5

    01419d91b0883bc354b89a3577c451a1

    SHA1

    7c3911d3d4e2a72610abf4470d39dddd7cb63805

    SHA256

    a54298c6c68619d9b60dea41534fdcc95cbdde5a6e9f8323658e594ee1330ca3

    SHA512

    7f08e25014b313d70c6b443e61f9e795fee3f35358c824a89ecd97809fa9e68fc300ea1607a2d37b0346a54ccaf5e135f7ef885ca15f36543fca747e7aedb700

  • memory/1408-0-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

  • memory/1408-35-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

  • memory/4680-29-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB