Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
15/09/2024, 06:39
General
-
Target
e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe
-
Size
11.4MB
-
MD5
e1e8346ff1d31ae330cb44c91541cd5a
-
SHA1
6c798b54cc3d1291f0b8295e9283d4a0475876ad
-
SHA256
0f11eb03b72c4111f98ddbde874a09707e663ed3b420b0faa23e66042f37fceb
-
SHA512
ea915a3a2ae8bae8b306208dc26bd4fea480730b0f6070638f8457a6badb954192ea7ec7ed23c21d40359e423bdf3acc15c28dc531b62ca1ad5fc81ab705111f
-
SSDEEP
196608:UTwx42RPPBdebEm1iWWHc1SUX6apg3ZhncrJPm59vzgO8L1vsqFRUo7t/IbsCTMs:UaRPiGWW8sUtu/Am5q91vsqFRn5AACTN
Malware Config
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Checks system information in the registry 2 TTPs 1 IoCs
System information is often read in order to detect sandboxing environments.
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\92AB.tmp"C:\Users\Admin\AppData\Local\Temp\92AB.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\93A5.tmp"C:\Users\Admin\AppData\Local\Temp\93A5.tmp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\93A5.tmp"C:\Users\Admin\AppData\Local\Temp\93A5.tmp" /test4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\93A5.tmp"C:\Users\Admin\AppData\Local\Temp\93A5.tmp" /restart /util4⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Checks system information in the registry
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\93D5.tmp"C:\Users\Admin\AppData\Local\Temp\93D5.tmp" "install"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\93D5.tmp"C:\Users\Admin\AppData\Local\Temp\93D5.tmp" run1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
476KB
MD5bb094f254599a26547a3484e35a29482
SHA18b618de226450871b02e7788a5673512157db5ce
SHA256f845f1859bea42f1d9c6205344eb557296042296745cb8f7e0adbe9d652928f7
SHA5124b1d9c01847293aa99d0fa585788efdd4fb053461a4ce8ea1a20ace661a9bccba6a2265eeb7f06cc552941a530981b883bb6079131c8787a7427fc966fec06e1
-
Filesize
445B
MD5d5180d4557b08cd31ed9758722bea039
SHA18d699db057625d887fb465edaea8af08f9c62255
SHA256a8a5db6a3b541cd704d8c4aceeeaa16b147d0cbcfd8c97e59d434d1c0522b1f7
SHA51211439f5d492729d662576dfbfeaa7c7e5a7d796271442b31e928b27e305f81b761d0f1c0cb85bb2e0f91cb8dbce1456a687559584b5eb1db0403cb3382f02cef
-
Filesize
11.0MB
MD560647b7c7b5645fd43bfaee784becd67
SHA1efb89b51296c016fd482f20bfe68895644caab18
SHA25645909a961618e850f0a737995c2d71760453abc9040e72965fe1816dc15cc390
SHA512a384cf75dd29e7b2c89d00632447cd4726f875a6a8b91ee8bc31bbccb77bffed120fc96e4898491bacbb62f1141ab93c41d7fecfce3771c6a28d6ac3a43a03a1
-
Filesize
10.3MB
MD59cff02c5ee349922b08481ef0e786401
SHA1a5c90378fe2581f8a69a7d6f11b8283d452562ab
SHA256df8aa536fac28254bec6f2083337d0a0f1e10e132f35c119eedb925b02792474
SHA512979484f010481d69cc8ad89ec183baeae4fa63414e0896a36c043ebad374780debcbe591b9342c764c089b400237d52a3d94658e6f72c9fee99476aee0daaf87
-
Filesize
5.9MB
MD5d7ebb78bf1f0e4a8278b2d63013b1134
SHA1498b315dcba9bf4403d6748be61453d5d8991b61
SHA256c5a685088c44b1fbd01f49587af753b6a0f8f793de8d3b3d7e170574fef27ba8
SHA512ead20a19b5262ce34f13bae9c9d1082ce5bf740759ea82042d83600094e38de7aea87d7533fdd7660369ec5bb8549e107aff562fa477711515eb9c15c9c93312
-
Filesize
324KB
MD5bf9f6045d47dd87ae6d41fc7b5485506
SHA1462184bdd3c143f70ff7e9553966cb3d63b7cd12
SHA256f4cc03a26f2d13a41a86da8629b5d5c80a9ea586b6ba044e952b1972ab013440
SHA512bce57892b7cc2f44dae9eed0113530775f64e16d2846e6f08b10d76b9829e0885a94d816bf84d20ee5751ae3d3c536b6a9e6a75b4f95197d6317b032a839b605
-
Filesize
49KB
MD5abee4387ab69da821ed9397cc651597d
SHA15d14f4afdbe15448bf884b528ffffab874f920a7
SHA256ac1dfd38d2fa61e28211e196cd3d754f6ccfb220e8c1beba52e54825cf615e22
SHA512e014294cb60b66bd259f4a6ce262fc9eca30a30e7674dae178dbac6132ba464120e5d1076ee81c1210a2f42f819d94373733172cef9fda77c9effb4eed53a904
-
Filesize
5.0MB
MD59d23e2946b37a886dd9b5ce146cdd280
SHA1ac82352e5ef3988dd53403a9552bf9c4bc5162d3
SHA2569fabfffee8ef815f6e0f34c8909597ddf360ebff061151f18365202b774ceb20
SHA512872951f7ed72422e05e5957ab7bd274fdae2fba465b3177bba4b0dd1f1c7b047d7684977f7ad51fa79dd98b30b30dc6e52eac424798c31ae0e0fe31961b682a5
-
Filesize
1KB
MD588d3df8977c38d2fd174fa741411fe08
SHA1ec9f0337a24f7c9ef56771bad1ac5e08a2aa603d
SHA256fcf3870d0953e38f9b369e68379110332626d64502c3e2241e60e77c2045f848
SHA5123b965973149305f5a1e9f6f41d86adc93efdb6699ee048fa468b6ce766d58e2406c904d2b8d43a642aa4a344280cde29da9d3817c3cddb914c73505b8bd721bc
-
Filesize
127KB
MD5df8c626474a73ab7a8b511655597c7c4
SHA15de28f387ea88553d195d1978286d43c33231969
SHA256723091ba5a1b8e65164075516d69c00c71225c6dde61ffc32dd4047803ab42b5
SHA512c8f7d1577cb70610c40b96c835faca6b916c4924b5061351c8a67287567556b2014efb7c73cdcc4fb6533829541cd0264b8a9e428d3c572e29c06b0d96633d59
-
Filesize
10.3MB