Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/09/2024, 21:51

General

  • Target

    db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe

  • Size

    7.6MB

  • MD5

    db4783d98a68a9798aa3c953999e98e4

  • SHA1

    d8c76af371431c7211aff2758e2a2067168e5027

  • SHA256

    7c5050753cbab1d4f72a0ef6ea8c06a68d6ea831ea84c9a8ff70614d3b656e91

  • SHA512

    68fe18c9bb7b04e3cecb6e17f265c6919b740e935a53f8c10740b71c9b096367a335cbb74f312b8a8088d209fd08c49bfa353b0f7b46f13cff397bcfcfce0986

  • SSDEEP

    196608:Ta9+6Y7SOEibgR7ZOfeWKCBoDmpZPzmGP8cGBfWJGBfWzb:TFgR7ZOfeWKCBoC2GuWeW

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 4 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 19 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe"
    1⤵
    • UAC bypass
    • Event Triggered Execution: Image File Execution Options Injection
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1896
    • C:\Windows\svchost.exe
      "C:\Windows\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\Uninstall.exe

    Filesize

    7.7MB

    MD5

    c844322b526396c4a584b559f6fd23bc

    SHA1

    7884f3094971b03701ae3e3285fb0442a1c3e3d7

    SHA256

    26112dc8864b6cd83ea7e46226470a9f8dc7a4fde45e89a6a50b999fa5bcf455

    SHA512

    e757941b9720c33a95fe312f6c04842e804e591125d1d00bee3aee0ddf23a44c1de3cc0928ded36700deb8b192e7af95eae33520ab1192a03dee62197ba513af

  • C:\Windows\config.json

    Filesize

    1KB

    MD5

    88c5c5706d2e237422eda18490dc6a59

    SHA1

    bb8d12375f6b995301e756de2ef4fa3a3f6efd39

    SHA256

    4756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e

    SHA512

    a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7

  • C:\Windows\svchost.exe

    Filesize

    833KB

    MD5

    4a87a4d6677558706db4afaeeeb58d20

    SHA1

    7738dc6a459f8415f0265d36c626b48202cd6764

    SHA256

    08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7

    SHA512

    bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594

  • C:\vcredist2010_x86.log.html

    Filesize

    81KB

    MD5

    3ffa93ae5a1cbf76fb9723ed4753344a

    SHA1

    889180d1b48a14882b757684966152fc06bbe332

    SHA256

    c39dffdc4cbf556cba6128827ccde739a6cc53a84c677f37ff2a984f1e226c4c

    SHA512

    305806f724f5caff01f4803a288094ba16c17519724afd98426320c4d6ea1e8962f50c7c81f1dd5bd1fdc816a3d86234c6b1a3b6a9af8f9386687e0d2ab892e7

  • memory/1896-0-0x0000000000400000-0x0000000000619000-memory.dmp

    Filesize

    2.1MB

  • memory/1896-363-0x0000000000400000-0x0000000000619000-memory.dmp

    Filesize

    2.1MB

  • memory/1896-525-0x0000000000400000-0x0000000000619000-memory.dmp

    Filesize

    2.1MB

  • memory/3100-424-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

  • memory/3100-389-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

  • memory/3100-414-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

  • memory/3100-394-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

  • memory/3100-425-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

  • memory/3100-392-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

  • memory/3100-524-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

  • memory/3100-413-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

  • memory/3100-526-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

  • memory/3100-527-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

  • memory/3100-528-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

  • memory/3100-529-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

  • memory/3100-530-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

  • memory/3100-531-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB