Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    95s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 18:27

General

  • Target

    dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe

  • Size

    144KB

  • MD5

    dea8f56582d91ae4605f7162a006aeae

  • SHA1

    96a38ffacfb0ac8a369ce03cffb6c1f2b4893fa6

  • SHA256

    5f60950528295a7885e1241258ea283d44ea9f3960e8b62300e2231f340afd04

  • SHA512

    2ba4e9e84e75828cfa5bbc5d1c0d16b2f308fb5ff4557dc8cee5550701a3f77be6ff6580249872205374c7d8156cb37fba8b7b4df892992508666009bf603b6a

  • SSDEEP

    1536:/fQDBTn64E8RtIacmqWQuGMZ0jkLcDBTn64E8RtIacGDBTn64E8RtIacRjDKyEXd:3QDQ/0cd2jLwrecqOMpV+WR36rHuG

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im teatimer.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3488
    • C:\Windows\SysWOW64\drivers\svchost.exe
      C:\Windows\system32\drivers\svchost.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1868
    • C:\Windows\SysWOW64\drivers\Setup.exe
      C:\Windows\system32\drivers\Setup.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1908
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im teatimer.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\drivers\Setup.exe

    Filesize

    48KB

    MD5

    54370209b8485a8652aa0d28f98ebd30

    SHA1

    6c03a3003869bb062e55a428001cb36769869cc0

    SHA256

    4a6f321d2f5ba8803eda2f12d7abf99681d023fe1c4e5677f425136836327526

    SHA512

    085048823e7e250e284b1b9758bbc50d1762c9e33be89501845e48d6c322f63644f4b89ba91fdff85144556af002aee4729eea4ed41cb57461bf449bea151813

  • C:\Windows\SysWOW64\drivers\svchost.exe

    Filesize

    56KB

    MD5

    5c749b6329c23b51ec2010d4769f124e

    SHA1

    63c4b66297efc2807bdb5d37131a552455f0c90a

    SHA256

    cacc67a8acd397c9135876fef7d773ab4c465aa1dee07068eb20ceec358e7e96

    SHA512

    abf0d7a64153f5c3e436524c8196229d074832de76862509d023d7bf2faa84a5b9fa6b2ef7f75d1fdddf4dd0260135730cd3c32dfce200edfd47cffc7a135e1a