Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 03:06

General

  • Target

    d0f2357e4fa18f649e3c5cbf2172e02f_JaffaCakes118.exe

  • Size

    52KB

  • MD5

    d0f2357e4fa18f649e3c5cbf2172e02f

  • SHA1

    8d4686b7ca35a4fb1f30a4afa76036481606e22c

  • SHA256

    d5f1e7b37d09e4b2e00bfb42eb15000455e8f9e2edcbe5bc37836e58613887a7

  • SHA512

    0bd627f26ea8a9f61a17cc759faa1d0f9dfcf678265aaaae30b641c284966d43269b65eb40c88502f81becd1c9d5eb7ffac7ea027b72a850456517bc6da8e428

  • SSDEEP

    768:Q6MDEOgk6guQrhO23k7/9sppE0iKFz89519yFSUKhJJ16c5QSkq6O1v8eYanFnF:gExDPQ9l3ky88x8vTJJ16mQ3Zq8FG1F

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0f2357e4fa18f649e3c5cbf2172e02f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d0f2357e4fa18f649e3c5cbf2172e02f_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4668
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" "C:\Program Files (x86)\Messenger\messenger.kvh"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1752
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" "C:\Windows\system32\popwen.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.95081.net/tan.htm
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3032
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3032 CREDAT:17410 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Messenger\messenger.kvh

    Filesize

    9KB

    MD5

    f6f0362d52bdd28f4facceb819c09f84

    SHA1

    c99ad0e83984d2d2343f55a064dfd82b166b0ce1

    SHA256

    831f7023f584b2f4325e2a42c141197bf343babb6612758ebe8b846d8eb589d4

    SHA512

    f418b1978707b0268d0496359c60c0c884ba75a200fa9ed57745cfea966d37146e791827657c3baf9d8c7a8098a98ae207e9679593113b2dedeb3ad66ffeb1f9

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver4BE9.tmp

    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQ3665LB\suggestions[1].en-US

    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\Windows\SysWOW64\popwen.vbs

    Filesize

    218B

    MD5

    6938ddef8c3a70aa95a1f01c69f45ba4

    SHA1

    36cb5f5bea112e983587d0ddf5f7aaf3be3b4f4c

    SHA256

    bc677ccea9a040710ed88ed3fcefadd73a931ec6750d7366a330329f95f95c46

    SHA512

    0cac9e72295d2a23965f9c18b5ddd948df205e7babd704c77ce3b60bef6cecee5c1e3d5f76de00abc9ca029e58a493421c3e31f18f8d71d59c770e3e90c0b725