Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2024, 06:44

General

  • Target

    dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe

  • Size

    80KB

  • MD5

    dc01df3c40cb4fb0bef448693475ea1b

  • SHA1

    a81ba37cce6201f5ad4d256c1eac55976cbdb5ac

  • SHA256

    422ba6dae6752430a2e52e1efb327f277e912ce551f9f1408ee6ab13ebf3717a

  • SHA512

    9160928492dd4ec28bb00fd00657cd05d104f4e4938dbf25f2acc65a5a0b0280a67a503e58713191a8b95709bdd2fd47439f61529733c7242792c59141359e29

  • SSDEEP

    768:DAbj35jVq5PIZtsUD0oc75LXf+Dmu0+zaEMv38S/A6yM+tX/1M5F0knS3qXxDTgP:Eju5gQqhYf8m2aImH1m0uAB24CjFlKE

Malware Config

Signatures

  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Users\Admin\AppData\Local\Temp\netmgr.exe
      "C:\Users\Admin\AppData\Local\Temp\netmgr.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4372
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        -nohome
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4460
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5048
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5048 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2936
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        -nohome
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1528
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2272
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4396
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        -nohome
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4876
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2000
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2184
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        -nohome
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1152
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3944
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3944 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1900
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    471B

    MD5

    5f81c2f0e32c339ad20a7b38cb5b684b

    SHA1

    4196d08225494b3da7819301cac57f3618ef8aa7

    SHA256

    f1465c392ed09e095c9ed94934a546cd13bcf3c2f5fcd669bb58fb1475fc3b39

    SHA512

    fff25d77166243ec1c5e029ca5c51b605228e6faebbc08834c3bc9c1042f14596c062e9ab9f9cc6567f5ba3bb0679a4fc833704fbef0c91a1461bc005d4bf19b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    404B

    MD5

    e8356122a72dbbbf2d2837f2ac068b49

    SHA1

    02e7829fef15e387c3c352494d2e326d6c12c2dd

    SHA256

    a81b7834e05496ced29b2d2f2848241c2445db502f393250d2d4b8444cd68a72

    SHA512

    d5ba35e45a94e0a91eddb299aba6cd0ac42a54a922162de5c66f4c57c5055f6b6383b2f9bd1da11c41da0fb9dace5718b81ea000c855326e3f235a7b3c329e10

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8CF2FF97-70D2-11EF-9912-EEE1DD5A0987}.dat

    Filesize

    5KB

    MD5

    52438b446e55238e2ed47f47491ea839

    SHA1

    6c1bb7163fa73107c7056dc044177338e8edd228

    SHA256

    b18bed856aea88d08a0ad9d6a807c0ba65e4ed03e787bc5e9305abe3015fabeb

    SHA512

    7847688cd4cbcd03762c8eb4fa9b400a65c8ab95585a3ea453fe853f6b7786bd9b39cdecd86a1b2d4ca06a88d95b3ef32420a7759345b4fc5e71b327667ed589

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8FE92B6E-70D2-11EF-9912-EEE1DD5A0987}.dat

    Filesize

    5KB

    MD5

    f6e7b0681c1e9d371f32a2dabd87935c

    SHA1

    411b72a52dee442949d826e0323f7037575eaa60

    SHA256

    a1943e92242cd503c765bc1fb5054dad80d1b15aee812a3c9f3b630b4cbd8e6d

    SHA512

    b03fcd7e68f683c75681e2a7b47d921193e4dc20a646249f378ef273fa5820492fc265540ba93f3693ebc07e150bc3fcded2b1ee8e81c376b0db3bcd8e2038ef

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8FE92B6E-70D2-11EF-9912-EEE1DD5A0987}.dat

    Filesize

    4KB

    MD5

    cd831bec1404de9cfd8dc07ce2c2a00d

    SHA1

    1df2f3c35b2631377eeedc170024fdfbbf2329b5

    SHA256

    5f660923929bf8fe7cc5aaf943ed50c7b889354aba88b4d3c1f1eb88893546be

    SHA512

    f6af4558c6ab2a0b98f7e38da4e3166de19accedfece4afa8c5a664dc2f2c3d8da15464492bce83b88b281235684a061d645e56e17d0e79e06a83265629d6dcb

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4329235D\suggestions[1].en-US

    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\Users\Admin\AppData\Local\Temp\netmgr.dll

    Filesize

    49KB

    MD5

    d24fa8bc709ada9af8d4d755c132290f

    SHA1

    6dbe09062fd25a7c05002bf72ca86da35777b47d

    SHA256

    9a62e435a04486c6acafd602f782cf1ed0ac65a0159c6c47ed4fad996c1799ff

    SHA512

    6386ee31f577ccedc3fc50a6224f07c10fd0a019eac8c8de940c46a7ca56386527678ddfe080f59cf33ce44974273f8e93e1f65a680af1ed55a56f3c4cb26ee2

  • C:\Users\Admin\AppData\Local\Temp\netmgr.exe

    Filesize

    16KB

    MD5

    ff04126a5d61a10c81bfd0a6d0a643d0

    SHA1

    ffab0d227b67c60de19af0f3b3b05c7e6fa7eedc

    SHA256

    5a9d84792a06b3d2037f567e0f57781722a950d485854cf5e4042cbdd51d82af

    SHA512

    d22771de0ca11e2efcdcbebae6de8fbc4865a45a3e3aff8eafab8da2fc75dab8a1256ae62ed7463d039c4fe045d4f9d6e161b5fc225583334750f9613199cd56

  • C:\Users\Admin\AppData\Local\Temp\perf2012.ini

    Filesize

    145B

    MD5

    3404edfd6310bca1c2e0b3d49281b267

    SHA1

    e845182b7ef9d7dda499ce5806401b8e063ed7fc

    SHA256

    8330f32dff8de2a6d6bd38a3b4081ab7bc8aea3595b2ee6382c93c93ea571c60

    SHA512

    89c8af65e3d6b1a4932ab77c851489e4a39109c559caac92506dd84b78a354d101e32fe16e8828ed22260a90b3b3df613cff0c20cc51e10205dfb1e9b3ee870f