Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 05:46

General

  • Target

    eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe

  • Size

    192KB

  • MD5

    eab2950521e2e17f90c87bcb847cd3bd

  • SHA1

    a2568f39a3c05d4f720ac39cc71dd4cffec13f34

  • SHA256

    7e502264237f15a7caf41517a953083b8394e7c1550d64af01a94bae5d25117a

  • SHA512

    94d704cf15e080f7c8851ee2a7dc6d114af67bdd15556333e71b838bf2b34ebabd3138f4855450cceae2a72b6bdd7e9216628011d63c1497a8d2cf8352117028

  • SSDEEP

    6144:LnXWx4wSizY9r4BlDqFVhbdfq351C2lF/cQ:LnXWKwSCkcBlOF3b1t2L

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 27 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:3168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

    Filesize

    567KB

    MD5

    9bb6c5c8dc427b491a9de968f5c2a851

    SHA1

    a41b0aca56dff8c9a5c65d1746e88167ebfec11b

    SHA256

    1943257d484e69b65e789b65409436add7a4a68ccb098a50eef25c9104d9ccae

    SHA512

    bde893fc48cb815f7868c61ac153516c9fb6dddb5f7dc8570af7081bbcabd382f46e982cc3e92b1649a21f3e2ffe38ce2c5cb31837e384825eb8e49f586f197f

  • C:\Windows\SysWOW64\msiexec.vir

    Filesize

    202KB

    MD5

    fd4ef7edc197284fdcca0d3e804e2420

    SHA1

    7045b79048e46ceb414f6079cd4c0f114c213170

    SHA256

    6b6d1126f8a8eb45b6820410cdc8102d8917139fa98a8ec5b96ba7967e591541

    SHA512

    554b51c0006957075efcad20c6798551d277bb45b04d0f36f346e4d26f57cc9f16369e1a28ae9c91e12bbca0041776e3a373cecb39b11b2c67bb8c781c591864

  • memory/3168-0-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

  • memory/3168-1-0x0000000000401000-0x0000000000402000-memory.dmp

    Filesize

    4KB

  • memory/3168-2-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB