Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2024, 14:19

General

  • Target

    feb4a1e95f3ac74c6e7a3b85a7a11834_JaffaCakes118.exe

  • Size

    2.1MB

  • MD5

    feb4a1e95f3ac74c6e7a3b85a7a11834

  • SHA1

    fca4199e3320a006453d16bb8ac105354d6581ff

  • SHA256

    4192d1084d9dd28e293bdce815592fa71c8722d9c91083b8c8c9b8cfec061d49

  • SHA512

    854fd8be770ec36243f7349cc1210364a3d7d941e23cdaa4316808bdc965bddcc000f6f7971e8fc116fd54b6912f62ea5b220f717e1b1dd28f0db2bd9290eb35

  • SSDEEP

    49152:D2q3civpMQ9OFnvQNNSNuknmQo6O1g5XcvCt6CfKppWOM:DrciveQ9OFnv+4N1A6O16rcvpxM

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\feb4a1e95f3ac74c6e7a3b85a7a11834_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\feb4a1e95f3ac74c6e7a3b85a7a11834_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\m41l78u9uprxqjv.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\m41l78u9uprxqjv.exe" -e -p2pn8xu698ah0qb9
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4396
      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\b6thynos8b04n66.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\b6thynos8b04n66.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4004
        • C:\Users\Admin\AppData\Roaming\Protector-alrd.exe
          C:\Users\Admin\AppData\Roaming\Protector-alrd.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4748
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\B6THYN~1.EXE" >> NUL
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\m41l78u9uprxqjv.exe

    Filesize

    2.0MB

    MD5

    c5198aad190a58d59fa4cf9d548bc536

    SHA1

    bed2e67fc1ca223daad46f6ca4089cf1d5e33b08

    SHA256

    5f6f239087a40ff9025beffeecb6ecf0eb4c8f588ff0015b3ee9423f7ff5d804

    SHA512

    fc6a7593130cfa516866a5bd9b6bcc70ec853da5eda3256db6dc09cb8451aac74fbd1964a7a75eb967adf319f8c325b6cac5d9791d5bc24a7edcbc211791b1fc

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\b6thynos8b04n66.exe

    Filesize

    2.0MB

    MD5

    d747f50d679159a5c8f70af8c6f1229a

    SHA1

    728b2cdbe38671c3f558dc4be90fd006339159df

    SHA256

    56c7e379cdc925ed01ce7e48d19c608c69bc565e6ec7d3d9670099d1dd5ea62b

    SHA512

    937f56d6bb1cad56e4fb916f46d5cdd02f5336f4511a28c1459095cf124ce61254efa518a0d0cd69102a44cc5255347d55f18100853dd0feaff96d775b453c68

  • memory/4004-21-0x0000000000400000-0x0000000000831000-memory.dmp

    Filesize

    4.2MB

  • memory/4004-27-0x0000000000400000-0x0000000000831000-memory.dmp

    Filesize

    4.2MB

  • memory/4748-29-0x0000000000400000-0x0000000000831000-memory.dmp

    Filesize

    4.2MB