Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2024, 07:34

General

  • Target

    fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe

  • Size

    784KB

  • MD5

    fe0fc4697ba657b752715617a0a0927a

  • SHA1

    c245c4420da5e0f9d4b3d826546bc1af2ad5129d

  • SHA256

    9173e6228b5fc87965595c14258746ab987ba27a2275941a656b4acd33574012

  • SHA512

    59454db295faf1c8548c913ae3a75aab9c092a1d2ac82f5d7c274a7b233f06790eb027f074dd8de2ea3287d6915501e9dd8f0365c1d88c9843bbd7ef3d7d35d1

  • SSDEEP

    12288:fh24r4ddezt3ow+kpv0qT+yBTQqatfb5hQKGQSgWoBFQpOwjabdelqYy:fh24ztYfuBEx36gW42ubde4

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 7 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:216
    • C:\Users\Admin\AppData\Local\Temp\fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      PID:3856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe

    Filesize

    784KB

    MD5

    f3b75ba5591498b703551af1a9122453

    SHA1

    d14f43d0bb20471bf1aa1bfe08b1554ce864800b

    SHA256

    713431ffe00a79e67035904ab52db069a653b8e71b136bedec949f0b4606b036

    SHA512

    9c9181f4add0c2d2e35a7f1bbc22ba7f263a6b192e37b4d463c3b6867b9e0502ab226e8c9ee02a740f8e97bb0ad72b235f2489c6c593357d42a639ec04fbadc4

  • memory/216-0-0x0000000000400000-0x0000000000712000-memory.dmp

    Filesize

    3.1MB

  • memory/216-1-0x00000000017F0000-0x00000000018B4000-memory.dmp

    Filesize

    784KB

  • memory/216-2-0x0000000000400000-0x0000000000593000-memory.dmp

    Filesize

    1.6MB

  • memory/216-13-0x0000000000400000-0x0000000000593000-memory.dmp

    Filesize

    1.6MB

  • memory/3856-12-0x0000000000400000-0x0000000000712000-memory.dmp

    Filesize

    3.1MB

  • memory/3856-19-0x0000000001AA0000-0x0000000001B64000-memory.dmp

    Filesize

    784KB

  • memory/3856-14-0x0000000000400000-0x0000000000593000-memory.dmp

    Filesize

    1.6MB

  • memory/3856-27-0x0000000005310000-0x00000000054A3000-memory.dmp

    Filesize

    1.6MB

  • memory/3856-20-0x0000000000400000-0x0000000000587000-memory.dmp

    Filesize

    1.5MB

  • memory/3856-30-0x00000000005A0000-0x000000000071F000-memory.dmp

    Filesize

    1.5MB

  • memory/3856-31-0x0000000000400000-0x0000000000587000-memory.dmp

    Filesize

    1.5MB