Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 01:11
Static task
static1
Behavioral task
behavioral1
Sample
d56c09920c412be82326510102b13831_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d56c09920c412be82326510102b13831_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d56c09920c412be82326510102b13831_JaffaCakes118.exe
-
Size
62KB
-
MD5
d56c09920c412be82326510102b13831
-
SHA1
0accf58a9853c76ebae10e6062c76de82c6c14fd
-
SHA256
da8f1e3620bfbfa400f621b29dfbcbbdcd1aec1241c77a812a8b81a233decbff
-
SHA512
73c70a6bf2498f22732969d1c6236617c41272c4020f98a9b659790310ab8acbb8f897b8e74ff86e49457180cf2acac71dd4f5b835a1e371489b0ab863b7e797
-
SSDEEP
768:PM+xFHEzbSrqS+ekwmhmMCvg5soK37VFIETDn4tXU:PXxFMGgw+AoOoKLVN4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1596 msdtc.exe -
Loads dropped DLL 2 IoCs
pid Process 1468 iexplore.exe 1468 iexplore.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\start = "C:\\Users\\Admin\\AppData\\Local\\msdtc.exe -installkys" msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d56c09920c412be82326510102b13831_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdtc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1856 d56c09920c412be82326510102b13831_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1856 d56c09920c412be82326510102b13831_JaffaCakes118.exe 1856 d56c09920c412be82326510102b13831_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1856 wrote to memory of 1596 1856 d56c09920c412be82326510102b13831_JaffaCakes118.exe 83 PID 1856 wrote to memory of 1596 1856 d56c09920c412be82326510102b13831_JaffaCakes118.exe 83 PID 1856 wrote to memory of 1596 1856 d56c09920c412be82326510102b13831_JaffaCakes118.exe 83 PID 1596 wrote to memory of 1468 1596 msdtc.exe 84 PID 1596 wrote to memory of 1468 1596 msdtc.exe 84 PID 1596 wrote to memory of 1468 1596 msdtc.exe 84 PID 1596 wrote to memory of 1468 1596 msdtc.exe 84 PID 1856 wrote to memory of 3436 1856 d56c09920c412be82326510102b13831_JaffaCakes118.exe 92 PID 1856 wrote to memory of 3436 1856 d56c09920c412be82326510102b13831_JaffaCakes118.exe 92 PID 1856 wrote to memory of 3436 1856 d56c09920c412be82326510102b13831_JaffaCakes118.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\d56c09920c412be82326510102b13831_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d56c09920c412be82326510102b13831_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Local\msdtc.exeC:\Users\Admin\AppData\Local\msdtc.exe -installkys2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1468
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D56C09~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
PID:3436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD5e5ef91088796762966e19b641dd9f21d
SHA18cb62e75e1fa48d235ae21fd2df9c7b22420b449
SHA2561c06f8e4b61a3ee47a081136bae05410ce5166abc2d5afcd419739c85b689a6b
SHA5129ada1790d6adfc906af798027984d986f6ce4d497748f743d421b8074319ea485b810a52aa1837d76aff98386b0b6147be33a2770ce5f275025e76eba7c205f7
-
Filesize
4KB
MD5ffcba8c18e163d70479c454c89fb0a00
SHA186a787f30f020bc1ef28c536e4117e8637dc9fec
SHA25608311599844aa14b0fef841e1ec507623a9726bcf08de43beab0ded4c16f8f30
SHA5128ff1bb102e723eee0cc11d589c23e4d6fa0972d8c0231951813e1413c24ee65929c904bce2dbd722cd3bfb3e587b57fc48b1e07df3cf744101f41c0ec11fe040