Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    100s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/09/2024, 06:39

General

  • Target

    e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe

  • Size

    11.4MB

  • MD5

    e1e8346ff1d31ae330cb44c91541cd5a

  • SHA1

    6c798b54cc3d1291f0b8295e9283d4a0475876ad

  • SHA256

    0f11eb03b72c4111f98ddbde874a09707e663ed3b420b0faa23e66042f37fceb

  • SHA512

    ea915a3a2ae8bae8b306208dc26bd4fea480730b0f6070638f8457a6badb954192ea7ec7ed23c21d40359e423bdf3acc15c28dc531b62ca1ad5fc81ab705111f

  • SSDEEP

    196608:UTwx42RPPBdebEm1iWWHc1SUX6apg3ZhncrJPm59vzgO8L1vsqFRUo7t/IbsCTMs:UaRPiGWW8sUtu/Am5q91vsqFRn5AACTN

Malware Config

Signatures

  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Checks system information in the registry 2 TTPs 1 IoCs

    System information is often read in order to detect sandboxing environments.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Users\Admin\AppData\Local\Temp\92AB.tmp
      "C:\Users\Admin\AppData\Local\Temp\92AB.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1252
      • C:\Users\Admin\AppData\Local\Temp\93A5.tmp
        "C:\Users\Admin\AppData\Local\Temp\93A5.tmp"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Writes to the Master Boot Record (MBR)
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1172
        • C:\Users\Admin\AppData\Local\Temp\93A5.tmp
          "C:\Users\Admin\AppData\Local\Temp\93A5.tmp" /test
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1828
        • C:\Users\Admin\AppData\Local\Temp\93A5.tmp
          "C:\Users\Admin\AppData\Local\Temp\93A5.tmp" /restart /util
          4⤵
          • Enumerates VirtualBox registry keys
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Looks for VirtualBox Guest Additions in registry
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks system information in the registry
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4312
      • C:\Users\Admin\AppData\Local\Temp\93D5.tmp
        "C:\Users\Admin\AppData\Local\Temp\93D5.tmp" "install"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1280
  • C:\Users\Admin\AppData\Local\Temp\93D5.tmp
    "C:\Users\Admin\AppData\Local\Temp\93D5.tmp" run
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:4816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Чистилка\config.dat

    Filesize

    476KB

    MD5

    bb094f254599a26547a3484e35a29482

    SHA1

    8b618de226450871b02e7788a5673512157db5ce

    SHA256

    f845f1859bea42f1d9c6205344eb557296042296745cb8f7e0adbe9d652928f7

    SHA512

    4b1d9c01847293aa99d0fa585788efdd4fb053461a4ce8ea1a20ace661a9bccba6a2265eeb7f06cc552941a530981b883bb6079131c8787a7427fc966fec06e1

  • C:\ProgramData\Чистилка\settings.json

    Filesize

    445B

    MD5

    d5180d4557b08cd31ed9758722bea039

    SHA1

    8d699db057625d887fb465edaea8af08f9c62255

    SHA256

    a8a5db6a3b541cd704d8c4aceeeaa16b147d0cbcfd8c97e59d434d1c0522b1f7

    SHA512

    11439f5d492729d662576dfbfeaa7c7e5a7d796271442b31e928b27e305f81b761d0f1c0cb85bb2e0f91cb8dbce1456a687559584b5eb1db0403cb3382f02cef

  • C:\Users\Admin\AppData\Local\Temp\92AB.tmp

    Filesize

    11.0MB

    MD5

    60647b7c7b5645fd43bfaee784becd67

    SHA1

    efb89b51296c016fd482f20bfe68895644caab18

    SHA256

    45909a961618e850f0a737995c2d71760453abc9040e72965fe1816dc15cc390

    SHA512

    a384cf75dd29e7b2c89d00632447cd4726f875a6a8b91ee8bc31bbccb77bffed120fc96e4898491bacbb62f1141ab93c41d7fecfce3771c6a28d6ac3a43a03a1

  • C:\Users\Admin\AppData\Local\Temp\93A5.tmp

    Filesize

    10.3MB

    MD5

    9cff02c5ee349922b08481ef0e786401

    SHA1

    a5c90378fe2581f8a69a7d6f11b8283d452562ab

    SHA256

    df8aa536fac28254bec6f2083337d0a0f1e10e132f35c119eedb925b02792474

    SHA512

    979484f010481d69cc8ad89ec183baeae4fa63414e0896a36c043ebad374780debcbe591b9342c764c089b400237d52a3d94658e6f72c9fee99476aee0daaf87

  • C:\Users\Admin\AppData\Local\Temp\93A5.tmp

    Filesize

    5.9MB

    MD5

    d7ebb78bf1f0e4a8278b2d63013b1134

    SHA1

    498b315dcba9bf4403d6748be61453d5d8991b61

    SHA256

    c5a685088c44b1fbd01f49587af753b6a0f8f793de8d3b3d7e170574fef27ba8

    SHA512

    ead20a19b5262ce34f13bae9c9d1082ce5bf740759ea82042d83600094e38de7aea87d7533fdd7660369ec5bb8549e107aff562fa477711515eb9c15c9c93312

  • C:\Users\Admin\AppData\Local\Temp\93D5.tmp

    Filesize

    324KB

    MD5

    bf9f6045d47dd87ae6d41fc7b5485506

    SHA1

    462184bdd3c143f70ff7e9553966cb3d63b7cd12

    SHA256

    f4cc03a26f2d13a41a86da8629b5d5c80a9ea586b6ba044e952b1972ab013440

    SHA512

    bce57892b7cc2f44dae9eed0113530775f64e16d2846e6f08b10d76b9829e0885a94d816bf84d20ee5751ae3d3c536b6a9e6a75b4f95197d6317b032a839b605

  • C:\Users\Admin\AppData\Local\Temp\cln979D.tmp

    Filesize

    49KB

    MD5

    abee4387ab69da821ed9397cc651597d

    SHA1

    5d14f4afdbe15448bf884b528ffffab874f920a7

    SHA256

    ac1dfd38d2fa61e28211e196cd3d754f6ccfb220e8c1beba52e54825cf615e22

    SHA512

    e014294cb60b66bd259f4a6ce262fc9eca30a30e7674dae178dbac6132ba464120e5d1076ee81c1210a2f42f819d94373733172cef9fda77c9effb4eed53a904

  • C:\Users\Admin\AppData\Local\Temp\sciter.dll

    Filesize

    5.0MB

    MD5

    9d23e2946b37a886dd9b5ce146cdd280

    SHA1

    ac82352e5ef3988dd53403a9552bf9c4bc5162d3

    SHA256

    9fabfffee8ef815f6e0f34c8909597ddf360ebff061151f18365202b774ceb20

    SHA512

    872951f7ed72422e05e5957ab7bd274fdae2fba465b3177bba4b0dd1f1c7b047d7684977f7ad51fa79dd98b30b30dc6e52eac424798c31ae0e0fe31961b682a5

  • C:\Users\Public\Desktop\Чистилка.lnk

    Filesize

    1KB

    MD5

    88d3df8977c38d2fd174fa741411fe08

    SHA1

    ec9f0337a24f7c9ef56771bad1ac5e08a2aa603d

    SHA256

    fcf3870d0953e38f9b369e68379110332626d64502c3e2241e60e77c2045f848

    SHA512

    3b965973149305f5a1e9f6f41d86adc93efdb6699ee048fa468b6ce766d58e2406c904d2b8d43a642aa4a344280cde29da9d3817c3cddb914c73505b8bd721bc

  • C:\WINDOWS\FONTS\PNS.TTF

    Filesize

    127KB

    MD5

    df8c626474a73ab7a8b511655597c7c4

    SHA1

    5de28f387ea88553d195d1978286d43c33231969

    SHA256

    723091ba5a1b8e65164075516d69c00c71225c6dde61ffc32dd4047803ab42b5

    SHA512

    c8f7d1577cb70610c40b96c835faca6b916c4924b5061351c8a67287567556b2014efb7c73cdcc4fb6533829541cd0264b8a9e428d3c572e29c06b0d96633d59

  • memory/1172-64-0x00000000003D0000-0x0000000000E1F000-memory.dmp

    Filesize

    10.3MB