Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 21:48

General

  • Target

    def612ad0554006378f185d3b56efb57_JaffaCakes118.exe

  • Size

    148KB

  • MD5

    def612ad0554006378f185d3b56efb57

  • SHA1

    b27ea28e772fbc6b7f80b75b2ba6d32b39d6f256

  • SHA256

    219423a32336987838bea44a471fe02700e2e74ba4c98ebb41512b7bc15e0c32

  • SHA512

    5ebc664726aad811d6f91de8c7d355b312799e39e69af5218de0eda7d6696c5f1c025737c87c7bda0b22883425fd808770592c9bd7a3f39e759c5dbc46f14f9e

  • SSDEEP

    1536:OjLzLxke+a6vLZqyMe6Gfo84U0taH3DfBTF7kK3RmkdumKlT4j0wEwVAcEDKgf:oxka6gGfoucaH3VBmkduXl8+wVAcw/

Score
7/10

Malware Config

Signatures

  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\def612ad0554006378f185d3b56efb57_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\def612ad0554006378f185d3b56efb57_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3880
    • C:\Users\Admin\AppData\Local\Temp\netmgr.exe
      "C:\Users\Admin\AppData\Local\Temp\netmgr.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4756
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        -nohome
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3692
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4748
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4748 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:5084
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        -nohome
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2344
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:220
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:220 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1812
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        -nohome
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4548
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4704
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4704 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2832
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        -nohome
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3024
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4852
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4852 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    471B

    MD5

    84231e6b703a4b64fa601076af9e016a

    SHA1

    210e330be937e617085d28bf356c990a49dce0a5

    SHA256

    e10b7b5f4f3291d340cebafd2d87bbec8689ffb1750a813a2887b6cd31ce61b3

    SHA512

    e13fcb1e344dbd4cd9429faa51f61615ce602908e3eabb7ae9190e745f38747b62b563ca9c0c71abecff1fc398afd2652d32ec37511061d2dff2356aaad0b8d4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    404B

    MD5

    08fa9edcfc0d02fd7897650346fab066

    SHA1

    4ab043de647b92bdfdd862f3e313d5af83bd74ca

    SHA256

    56048545e1ac16480492ebe593762864579aba3482af998d0c8a324e190f54ad

    SHA512

    da912b03636cdd7d530a43ece67c12086698f0bbe0bc6c8f429c88d566e8297645fe4bd07707e7450b805369a08609927e2f0765eb6c450060cc70fbfefcef4e

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F0A37D4A-7219-11EF-BFD9-6ADB259EA846}.dat

    Filesize

    5KB

    MD5

    9bbf6398eca4267c18a364a4194c3232

    SHA1

    d8ab28ac036a3f5b17ec3d79d092b7b01e49a3a4

    SHA256

    c4a4d18f3918b5ff11ac2ae9a5483a0f9dde77e59dc553f8a92208074e85e505

    SHA512

    9aab43fabeb31e24f9542e53b2fe19c9d17c6139cb984e04adab85dccc3c2c3fda632a22e8942aa5ec019c51957d3490e6778164e2e63fefb7cfd15e867124b5

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F4776410-7219-11EF-BFD9-6ADB259EA846}.dat

    Filesize

    5KB

    MD5

    4e5d5dae379a097ef82ede202a8dadc9

    SHA1

    65f2b9269db937f8f76fe3a228c75bb4b83ac86d

    SHA256

    c844ce46bfa61c6dea7dfbdad602a687c1693dffe2691bbd7dedb8b6118f00ae

    SHA512

    e24a01d401f084d5389f59693c06ef2e5a6f98711d17375003f8de9bc5adcc939854786211bd4eb76872ffc3e6137a6971716b301a62ea5f0c74164c0bdaca66

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F4776410-7219-11EF-BFD9-6ADB259EA846}.dat

    Filesize

    4KB

    MD5

    c09fa684accf27ff7d9e359838b03cd2

    SHA1

    7e9fa32a00fde26fca34c99efff3c40f9d46f9d5

    SHA256

    0f2fbab8113fc1820f3c93201274f642cede29e6b23eccc5ec8b23b1122d73d9

    SHA512

    1c9c48a185975fede96c78b5219fc610710c489dabb6c464ab607e4c90b316ab80ca40123d89e297b49d0035f920e7909381c3052320cae822a90e46ff5eda5b

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver3EBA.tmp

    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\suggestions[1].en-US

    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\Users\Admin\AppData\Local\Temp\netmgr.dll

    Filesize

    96KB

    MD5

    c0c093987a55fe9ac61e6e2b5a362d51

    SHA1

    52126b81560e3319518c50058c86a8c5fce0d3d1

    SHA256

    5c7d07858c7d01156a7f624d86b16e948a4630a2388d0c3cc1be86bd95f4858e

    SHA512

    716e9dc694a1544be5730cc8b82a4a73d4f8763408c80fe38a61d66cc201d9cc440510b036dfb49d2b1353b827a7628c389e833678860e358c72951deea1c7ec

  • C:\Users\Admin\AppData\Local\Temp\netmgr.exe

    Filesize

    20KB

    MD5

    4968882f189236952fd38a11586b395a

    SHA1

    1e9838e98b25619d9680854a6bd2418e044e52e5

    SHA256

    e917d277ce6d27e9740fede690f7bd810e99c0757ae4226cb30f8227c6b30b43

    SHA512

    3164a7d5fdbf3abc67caa56f974ad74d87059620d42ce6a656ede0480cf5a8d2fb87dd2fd3ba247409376437267af8b6388a78f3fbd67b42517ac0f2b4d13ef6

  • C:\Users\Admin\AppData\Local\Temp\perf2012.ini

    Filesize

    138B

    MD5

    1b084b39bb267c7265f99bbf76c58b9d

    SHA1

    85abcded0afb763acaa24801236fa58bc2a2b740

    SHA256

    ceb3ff7139c7ab61399b932bb6a98746f367b6ae1304062cf8fa61dc66a1909e

    SHA512

    b986a1800fab0f9091ff174c318284097639bee155576976114820cdd7f8543dc0a3c3990be22f38d8d571d11adf6f8a0248e142b205bb5ac7077e481fc39406