Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 03:05

General

  • Target

    dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe

  • Size

    184KB

  • MD5

    dd8b1b0b9002f34b6de1ce5795af7044

  • SHA1

    21a258520bc8a5752bd301fdc30246e2d7b09cf1

  • SHA256

    49caadac601106fea44e5865d240e71989b737a27968cf07a585cb6aa7b506d5

  • SHA512

    291cdbd385222f9c5569b00446f2288db97a069c56de0f90bbc6e045d8630132a246dc1ce283350ee101a1e9b01a8e6edf4356b637768a0735d433d3b8bf4d28

  • SSDEEP

    3072:6Xj0wZchwJVqMuS4OX0ggDDIotbJKbkrQa:azZ4wzZuS4OXRmDnbJka

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: RenamesItself 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1328
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c run.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2276
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          svchost.exe
          4⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2040
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            5⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3124
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\reg.vbs"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\reg.vbs

    Filesize

    292B

    MD5

    344f0e480669a6cfd147877470601f46

    SHA1

    64a32bcf575b29267f4d2f1f834ce9cb12640dec

    SHA256

    258def3e3c6d2f23d29a96209218ba58f40dbe644938452dcfc48fd113a7bea6

    SHA512

    cd06b8630ac28b936a041566a85dde8f1c799f3dae952540f8bd07845d81ec3dae2f58b12866c9e5c6fdc5357d2cf181e87e61da641f6b2bea46f6ffaa7ef700

  • C:\Users\Admin\AppData\Local\Temp\run.bat

    Filesize

    11B

    MD5

    d1c56374fff0243832b8696d133b7861

    SHA1

    f4d236fdec2fd03914189c3b26e5cb0dfea9d761

    SHA256

    8e8eab0b4bfdc35c5f238935b81298e43970ee6818e9629d725297ebf03838a6

    SHA512

    e74cbfc425b9779b79dfb6b53dbf3d1451f9f35a766cc5167932b95c9bdb5288b65f9886fbdf3c3b180bf3a8360bfa1ef577b63e3443cae04b49e7ece433c452

  • memory/1328-2-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/1328-4-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/1328-5-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/1328-9-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/3124-16-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/3124-17-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/3124-15-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/3124-22-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB