Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    96s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2024, 00:42

General

  • Target

    03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe

  • Size

    298KB

  • MD5

    03ca8f4558571b27bef876d0005663bd

  • SHA1

    08e6dbadc0e38517565127514f66a6d5794bb88d

  • SHA256

    3716b919a585fa4902c432b81235b850d36d2d07079498b958927804ff947c22

  • SHA512

    4391181cc2ca0acf4c94d076d614f1c2a770706c710ede7e355bcdd7e07bfc41ad8ae47eb909a2d5ce21bb3698f4bc728413eb3650f79abee7bb25fae4c29716

  • SSDEEP

    6144:CzSY0RcrnbIFMzEOjh64JDZs6z7/WKtuujadWphpVsznR1bYhmbM:uKcrnbIA7dTYKsujaqpkRChmbM

Score
7/10

Malware Config

Signatures

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:220
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun12.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3232
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\Desktop\Internet Explorer.lnk" /G Everyone:R /C
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4468
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun61.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:700
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:908
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe" /G Everyone:R /C
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2564
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun73.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2288
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\Desktop\Internet Explorer.lnk" /G Everyone:R /C
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2920
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun43.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4776
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\Desktop\Internet Explorer.lnk" /G Everyone:R /C
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4016
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun19.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2252
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Explorer Σ»└└╞≈.lnk" /G Everyone:R /C
        3⤵
        • System Location Discovery: System Language Discovery
        PID:8

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe

    Filesize

    814KB

    MD5

    5e5f63cd0ca3ee94c61a2db20ce33fc9

    SHA1

    c90ea9645c7cc1ad7553675a7ecdf880b1fb4621

    SHA256

    219280ffebd3d771102fc3a7f26529e5e9161366e3a5de2f8943d81dda7756bf

    SHA512

    b36df698f1cbe52df754db9fcfba7e6811b6fc74f44a89378ce29356630f66a10d526402e9d133f8ab608bb614e2214945c0b732b4db3d0cad3d3665e062edcb

  • C:\Users\Admin\AppData\Local\Temp\srun12.bat

    Filesize

    130B

    MD5

    af197ab4ce4325a4d9404424e380d026

    SHA1

    a2d56574a4bc489be1bf25e5030e0a817ffdd2cf

    SHA256

    553c843afa7141da9096178c0b75805e6677d58a08833449fe24f2b7b9b61950

    SHA512

    5547fad3d2866429345e90aa634c5a5fe341b6af24c3e9e76dc42b4fdfee489357708ad9154851ae9e687c9ee08bfcd546d7ae9c60f8403548fec81a150722ba

  • C:\Users\Admin\AppData\Local\Temp\srun19.bat

    Filesize

    191B

    MD5

    83a6d9f519941c0c7150da1d3b06f077

    SHA1

    b26fdddaa23010f07853dcc269bc4327160fcf47

    SHA256

    92015fe71ca302fa0a74d7d56b1f84409e2a6a25ac2e40ac6b85309a9be4008e

    SHA512

    b41fa1c48525cf130344dad5137f4f847e52834700c191b10e4f0d738a43fa8d6398cd8c803ee6fad1be2947ae2b48a47bf985b828ba946df98f83bfaed9b019

  • C:\Users\Admin\AppData\Local\Temp\srun43.bat

    Filesize

    130B

    MD5

    cd56ccdaf1d7638c0af8c306696faa2d

    SHA1

    0247a2ec40277a4971c3299054467fb51113c8cd

    SHA256

    bc251a0ddd4dfb39f72e1613936530bc06a9466dc451b785e90905ca7d2a20f5

    SHA512

    7b0db034a3ce38d8d780dff9aac1ba40d75d417841851bda1e96acef98f5096d0478ae351a69995839eaa37458dadcd7d13a7bfc9383c10d5a9fe271e004d51b

  • C:\Users\Admin\AppData\Local\Temp\srun61.bat

    Filesize

    142B

    MD5

    e86a459370957b4f3539a3e123e7b3db

    SHA1

    ffc678861a18ff07ca4a7e6470011a51b58e2759

    SHA256

    e955f4eb7a7978d0f4d6cbe29db39503164ca3eac4fa89677311e4e951393747

    SHA512

    d28b933df8723a61663bd4a18d9ef1c3b4fef1502263587a410496f29266762591d06c9846b346849b64bb381062aa3be3950221275361e4fe6d672090eb7bc7

  • C:\Users\Admin\AppData\Local\Temp\srun73.bat

    Filesize

    130B

    MD5

    a64dba561aef05132368b946ef75d1b8

    SHA1

    fc27ba6252030af9547514a92e58a0ea9ebe99d1

    SHA256

    47f97774c7bf781bac836e19deba3f62c83c5b7fa8fc884431730c4a81639e64

    SHA512

    b1da1c7cd754f3f3d2d471f80f76797dec5652e693de8f00a66170cbe7c8c111dca459dea114211afdff807756473fb27562b7fa77e0f83819e4e0a44b7c6023

  • C:\Users\Admin\Desktop\Internet Explorer.lnk

    Filesize

    1KB

    MD5

    c84397c8fefe5d9b4a480d520b8c75e8

    SHA1

    6dd0dc4250400a69d57e543ed4a147c70ac1e7ae

    SHA256

    91e4547b6ca3a6664cf75fb03aea845470f4b00b4863be53d931caaba3cea781

    SHA512

    eb8a2815d8bff51af280c6f23beaa676fdbc0c7707eda90b2e3a66204e1bbe6833348485fc03dbe45863c3d40af6862eb7e7303478eefe7fcf0af2e69372b7f6

  • C:\Windows\SysWOW64\Pnkx.exe

    Filesize

    298KB

    MD5

    4d7caeaf82ebca37a54a7f9cda40562e

    SHA1

    ab24ef2a3938be8080b57004ac3275299102b5fe

    SHA256

    3783131beaa732f5645933d36c4f47993ced754041bffb40c1c47ae957033eff

    SHA512

    6fe36aef486a5b96cf01ddcc353f6f0f80630bed0959cadb96e992f6b2dd88c9c0f2f2ed9924d826867fa228617cb582d2285abb3364343530a4707d2071d3e0

  • memory/220-0-0x0000000002480000-0x0000000002481000-memory.dmp

    Filesize

    4KB

  • memory/220-1-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/220-2-0x0000000002480000-0x0000000002481000-memory.dmp

    Filesize

    4KB

  • memory/220-38-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB