Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2024, 23:17

General

  • Target

    dd38e7b9a3764fe564a710f05298646e_JaffaCakes118.exe

  • Size

    79KB

  • MD5

    dd38e7b9a3764fe564a710f05298646e

  • SHA1

    d063fd94c5baf1ebcf02a02979be3510d145c5f7

  • SHA256

    a87f3f428c1fa5d539aef5569a3ca1a29996ff1c27865e1ca44eabf87ff989c8

  • SHA512

    1404f7c30908c85db2c2fba932f8343dd0f7c16b3a73f458c00d82a73a0569bcc78f423372621f52f90685a7cd5d897c245022e63af16e3afe6b48be707a1dbf

  • SSDEEP

    1536:43Yb9AKP34HazThNuuGOtQaDCB29QkPz2TkqMvd6lM/ZL1lhENNTKtW4rG:iWtAHYhPkWR2bMVBZL/kNTSrG

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3468
      • C:\Users\Admin\AppData\Local\Temp\dd38e7b9a3764fe564a710f05298646e_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\dd38e7b9a3764fe564a710f05298646e_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        • Suspicious use of WriteProcessMemory
        PID:840

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\IECheck.exe

      Filesize

      79KB

      MD5

      dd38e7b9a3764fe564a710f05298646e

      SHA1

      d063fd94c5baf1ebcf02a02979be3510d145c5f7

      SHA256

      a87f3f428c1fa5d539aef5569a3ca1a29996ff1c27865e1ca44eabf87ff989c8

      SHA512

      1404f7c30908c85db2c2fba932f8343dd0f7c16b3a73f458c00d82a73a0569bcc78f423372621f52f90685a7cd5d897c245022e63af16e3afe6b48be707a1dbf

    • C:\Users\Admin\AppData\Local\msvcr.dll

      Filesize

      113KB

      MD5

      f101416cbd273a25397351f39ed9c475

      SHA1

      c91b089729849947a321d9ab57cb11cbede5583f

      SHA256

      7957b723414195b733bf3de4e9b23b0e5935e3585c0dbf65270eb9a1faa623bc

      SHA512

      36ea3313c75fa290da05055cdcc42ffd03cd8a35470d41d4f7bf7521aec5e4e25c1d5a67ae138cb908c50001b3ef20e59287c204817c4cb9e3ab877333ac03d4

    • C:\Users\Admin\AppData\Local\ws2help.PNF

      Filesize

      79KB

      MD5

      60bf1ba61ae4cc6de846fac3f2a3884f

      SHA1

      24d191936b15b6fb107484e7f3a9a5f1d23f90a9

      SHA256

      8f6c9ab493849b1f991c67be8562ad3f7e3231d14bd63f58228664190577fb9f

      SHA512

      d14f0c3a46ed4ac6f909b699191283806190bd24db7142e14383dd6e3535be2e0eed8e2fbc8201c9904aff831e8bfdcbc6a4ad9fee2ce4441aa72e191ad53c45

    • C:\Windows\INF\1.txt

      Filesize

      48KB

      MD5

      98c499fccb739ab23b75c0d8b98e0481

      SHA1

      0ef5c464823550d5f53dd485e91dabc5d5a1ba0a

      SHA256

      d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087

      SHA512

      9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

    • memory/840-0-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

    • memory/840-22-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB