Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    95s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/09/2024, 01:11

General

  • Target

    d56c09920c412be82326510102b13831_JaffaCakes118.exe

  • Size

    62KB

  • MD5

    d56c09920c412be82326510102b13831

  • SHA1

    0accf58a9853c76ebae10e6062c76de82c6c14fd

  • SHA256

    da8f1e3620bfbfa400f621b29dfbcbbdcd1aec1241c77a812a8b81a233decbff

  • SHA512

    73c70a6bf2498f22732969d1c6236617c41272c4020f98a9b659790310ab8acbb8f897b8e74ff86e49457180cf2acac71dd4f5b835a1e371489b0ab863b7e797

  • SSDEEP

    768:PM+xFHEzbSrqS+ekwmhmMCvg5soK37VFIETDn4tXU:PXxFMGgw+AoOoKLVN4

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d56c09920c412be82326510102b13831_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d56c09920c412be82326510102b13831_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Users\Admin\AppData\Local\msdtc.exe
      C:\Users\Admin\AppData\Local\msdtc.exe -installkys
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1468
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D56C09~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WSE4EF1.TMP

    Filesize

    30KB

    MD5

    e5ef91088796762966e19b641dd9f21d

    SHA1

    8cb62e75e1fa48d235ae21fd2df9c7b22420b449

    SHA256

    1c06f8e4b61a3ee47a081136bae05410ce5166abc2d5afcd419739c85b689a6b

    SHA512

    9ada1790d6adfc906af798027984d986f6ce4d497748f743d421b8074319ea485b810a52aa1837d76aff98386b0b6147be33a2770ce5f275025e76eba7c205f7

  • C:\Users\Admin\AppData\Local\msdtc.exe

    Filesize

    4KB

    MD5

    ffcba8c18e163d70479c454c89fb0a00

    SHA1

    86a787f30f020bc1ef28c536e4117e8637dc9fec

    SHA256

    08311599844aa14b0fef841e1ec507623a9726bcf08de43beab0ded4c16f8f30

    SHA512

    8ff1bb102e723eee0cc11d589c23e4d6fa0972d8c0231951813e1413c24ee65929c904bce2dbd722cd3bfb3e587b57fc48b1e07df3cf744101f41c0ec11fe040