Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2024, 09:59

General

  • Target

    12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe

  • Size

    45KB

  • MD5

    12deba0b037118181b7c0f6277baaf67

  • SHA1

    46fc4fb95d3a2720669ded9d0506506619c1118b

  • SHA256

    f5fc522ee7ea42699bee0f64510ecf5194f073a4029af9995a2f236a144a7b59

  • SHA512

    96487cdf72f76fd70a1034e86adb6ae8380807c19eb65a1b72d6d3370cdd3386b735751132123d75706e22ba067d8148ce340c25749b385b5ac07e705bf77bb7

  • SSDEEP

    768:Q6MDEOgk6guQrhO23k7/9sppE0iKFz89519yFSUKhJJ16c5Qbdk1Kj30ZRfJLJVS:gExDPQ9l3ky88x8vTJJ16mQbdUKLwRZe

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Program Files (x86)\installer\svchost.exe
      "C:\Program Files (x86)\installer\svchost.exe" "C:\Program Files (x86)\tencent\StormLib.ncq"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1696
    • C:\Program Files (x86)\installer\svchost.exe
      "C:\Program Files (x86)\installer\svchost.exe" "C:\Windows\system32\pop1.vbs"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.95081.net/1.htm
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3104
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3104 CREDAT:17410 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\installer\svchost.exe

    Filesize

    144KB

    MD5

    ff00e0480075b095948000bdc66e81f0

    SHA1

    c2326cc50a739d3bc512bb65a24d42f1cde745c9

    SHA256

    8c767077bb410f95b1db237b31f4f6e1512c78c1f0120de3f215b501f6d1c7ea

    SHA512

    3a38e62dcb925411bc037335e46dfdd895c12a52ac43c47ef38db42d41d8358dfc2b1081a361367911d60ec5a3350ca734cf70ad57b21d39b23cfdec35b0aced

  • C:\Program Files (x86)\tencent\StormLib.ncq

    Filesize

    9KB

    MD5

    671584bd11cff35064c545a7d9599de7

    SHA1

    273a7ed0bdf66933f6f8c49ed8483d241d273472

    SHA256

    23f3698310efc119ef079650deec34abacf853eea78eabefd179836c430828b7

    SHA512

    f8b597fab65f7316768ce24e41f0218da116d2f42affd088ad59113a968900be70c72b07f4206374d1e1e6177406af747e06482c56e91443832fffb3fa216795

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    471B

    MD5

    db7c83e09ebc4317f2bf2df7f66b8513

    SHA1

    29d58ef43f72ce7cf79ce6109d038a6c9b4873f0

    SHA256

    1ae4c8aa37bf433bc5b3b45e017c95bf843c7dbbe348c78c7ab6f3cad0fda4b8

    SHA512

    6eb46ae0c3e091ba13b1c0e3fb6de568882940df7968d0e1297568ea5356a4691f2a869c7c9ac9e9642bcc2e4e1388d00b15c663276143e8cb5015ab89c27867

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    404B

    MD5

    1da86e32de6de9cfc6e32dc392250832

    SHA1

    f1f07281795bcc9488f5ce70cfd796e01bba5532

    SHA256

    317c55d246507268f7db9cfc0d785a3ba32701ff66880875b1f109a95a7711f3

    SHA512

    f3b64e12e9b3cb92368e8142744f76bdba33709b2a3466ed1ae8a14246c4371bd00cfd151e357d37d763022ea6e96359edfb252414d9e197d28d3be734436826

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verFF5F.tmp

    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQ3665LB\suggestions[1].en-US

    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\Windows\SysWOW64\pop1.vbs

    Filesize

    216B

    MD5

    1fe47a988c978d68e86019de56b29bda

    SHA1

    6904ea05d6d22e1d5fac34dd28d8455a37cd8820

    SHA256

    58ef16f24f50009390d92e9bd4172c02f3e4c213151bbef7033bad535ea41f43

    SHA512

    6f8a401d310243ed54b68c10c582808a5d3f5ea89746b5d9cc67df7d11bec6fd2467b726df9c0198f21b8c5afd1d2bbb75405c8693cd2b1451b179ee0fbc45c6