Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/10/2024, 21:08

General

  • Target

    257995802e0d2f1fcbd5a8a77ea311b9_JaffaCakes118.exe

  • Size

    39KB

  • MD5

    257995802e0d2f1fcbd5a8a77ea311b9

  • SHA1

    708d5c994a35c3ddde259b5dd1877bc2f523fc57

  • SHA256

    e2cbace0530254fee67859fb6aeed49417fa880c596977c5e4c1df971e0c7796

  • SHA512

    ee6857ccdae47cdad90c9f0e8d09ade5c9dac4c4e0abb67d1004e29216d7733d0181659f3093f4c732eb50245eef06678e7aef44f5a0f9ac5e6533c8cd83a3d7

  • SSDEEP

    768:uZfV8HUb2igLxbseGCFIbw6Hrl4UnWmcY3jNFmrS7:SfV8HUaiU/GxbZWRmFjaq

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:600
    • C:\Users\Admin\AppData\Local\Temp\257995802e0d2f1fcbd5a8a77ea311b9_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\257995802e0d2f1fcbd5a8a77ea311b9_JaffaCakes118.exe"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe ,a
        2⤵
        • System Location Discovery: System Language Discovery
        PID:3032
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\removalfile.bat "C:\Users\Admin\AppData\Local\Temp\257995802e0d2f1fcbd5a8a77ea311b9_JaffaCakes118.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\removalfile.bat

      Filesize

      43B

      MD5

      9a7ef09167a6f4433681b94351509043

      SHA1

      259b1375ed8e84943ca1d42646bb416325c89e12

      SHA256

      d5739a0510d89da572eb0b0d394d4fb4dd361cd9ee0144b9b31c590df93c3be7

      SHA512

      96b84cd88a0e4b7c1122af3ed6ce5edf0a9a4e9bf79575eadfac16b2c46f1278d57755d29f21d7c6dcb4403be24b7ac7da4837c6cc9c602342a8f2b8e54883df

    • C:\Windows\SysWOW64\xxyvusRH.dll

      Filesize

      28KB

      MD5

      2bdd289b1a3f9315aa1059395642843f

      SHA1

      041e4e6df2307c8f7441421155907784b977e242

      SHA256

      2f4ef1e42f658d2237c6bdea6e9a1a5eca8845da73cf6175368f86836ef96040

      SHA512

      93e45e25e403d4f73bd0a1c8ba283766be0614276dffdfadfd7292a307ef15969ba675c1f7c4525fb2ca5713ce65329d003b2dee8eeec961b9fc63cceb1d49e4

    • memory/4044-0-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/4044-1-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/4044-8-0x0000000010000000-0x0000000010010000-memory.dmp

      Filesize

      64KB