Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 01:27

General

  • Target

    d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe

  • Size

    201KB

  • MD5

    d0cbd3cc267eeef814bb93f713d7d5da

  • SHA1

    67ac446219b20ac3e6fd24e4acdb2f33e8aa2097

  • SHA256

    dfeed846f1550a7966c8ea06079fd6ab99e094eaed5d3b83ffff097d2d4021b6

  • SHA512

    65588742eebc73ac8ef6ccd6526017fbe524c6a27c641457c64a1755d1ae2ae0798193de7ad151d187f82efd0dc6a82da42903a60660d387aa602f1c4422e47a

  • SSDEEP

    3072:kIatQqMlm/aMawNOud4W+DM8VC9vY7tSx2CYXNouBQkchxyUjoY:OtXMluZiqD9vYpSwCKodhkUjL

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Network Service Discovery 1 TTPs 9 IoCs

    Attempt to gather information on host's network.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 284
      2⤵
      • Program crash
      PID:1188
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c arp -a >%windir%\system32\temp1.txt
      2⤵
      • Network Service Discovery
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5004
      • C:\Windows\SysWOW64\ARP.EXE
        arp -a
        3⤵
        • Network Service Discovery
        • System Location Discovery: System Language Discovery
        PID:3980
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c arp -a >%windir%\system32\temp2.txt
      2⤵
      • Network Service Discovery
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4512
      • C:\Windows\SysWOW64\ARP.EXE
        arp -a
        3⤵
        • Network Service Discovery
        • System Location Discovery: System Language Discovery
        PID:2144
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c arp -a >%windir%\system32\temp2.txt
      2⤵
      • Network Service Discovery
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4060
      • C:\Windows\SysWOW64\ARP.EXE
        arp -a
        3⤵
        • Network Service Discovery
        • System Location Discovery: System Language Discovery
        PID:844
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c arp -a >%windir%\system32\temp1.txt
      2⤵
      • Network Service Discovery
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:3432
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c arp -a >%windir%\system32\temp2.txt
      2⤵
      • Network Service Discovery
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:1192
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c arp -a >%windir%\system32\temp1.txt
      2⤵
      • Network Service Discovery
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2508
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1624 -ip 1624
    1⤵
      PID:60

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\temp1.txt

      Filesize

      551B

      MD5

      703ae12ae7a6e024e9e9ced651889d7d

      SHA1

      eddb3a63ec8100ccde65d0217923da1cd9396c55

      SHA256

      281d10434f1c2d6e47bd1e157146b894f057f8205213667251077930ec45981f

      SHA512

      a7c6ee9fee76ac4522f11261c33f9050d8f6bedd0f4f4510d3d18717d8e354b099c913e6e4d05f3868b9999056fe93c8aa83f66cfea7bc78edbde45cd5746b09

    • memory/1624-0-0x0000000000400000-0x0000000000401000-memory.dmp

      Filesize

      4KB

    • memory/1624-1-0x0000000000400000-0x000000000046DEBA-memory.dmp

      Filesize

      439KB

    • memory/1624-2-0x0000000000400000-0x000000000046DEBA-memory.dmp

      Filesize

      439KB

    • memory/1624-5-0x0000000000400000-0x000000000046DEBA-memory.dmp

      Filesize

      439KB

    • memory/1624-12-0x0000000000400000-0x000000000046DEBA-memory.dmp

      Filesize

      439KB

    • memory/1624-16-0x0000000000400000-0x000000000046DEBA-memory.dmp

      Filesize

      439KB

    • memory/1624-19-0x0000000000400000-0x000000000046DEBA-memory.dmp

      Filesize

      439KB

    • memory/1624-22-0x0000000000400000-0x000000000046DEBA-memory.dmp

      Filesize

      439KB