Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    95s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 05:33

General

  • Target

    2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe

  • Size

    42KB

  • MD5

    2bc387a8d3c6574db3a74fd0e757545b

  • SHA1

    deb8991b8ff5e2ae5daffa2d97525affcbc006f9

  • SHA256

    e4bfa4b1227e615c8869d781fe0d663d173c797bb91e5804fc06b38485cf3839

  • SHA512

    c91be20c0197ed7807a3cc6db019d23bd6122e36ce9175626438d9596d2f476ff11b6007d49e7cc558d8abd5eb0aa4f9c9582190ab318bb3b54f8b564dc6c74a

  • SSDEEP

    768:HBCmFxJuAhfNUK0cLlF+jqPLkqZWaKZ9e7z913lqYrZUC9N660oi:hL5f30aF++LZWa0Uz73UsUm0

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Modifies WinLogon 2 TTPs 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3168
    • C:\Windows\SysWOW64\sfc.exe
      "C:\Windows\system32\sfc.exe" /REVERT
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4416
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\del.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3300
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Program Files\Monday.ime",Runed
        3⤵
        • Loads dropped DLL
        • Modifies WinLogon
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:112
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 688
          4⤵
          • Program crash
          PID:212
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 112 -ip 112
    1⤵
      PID:2908

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Monday.ime

      Filesize

      23KB

      MD5

      8399229905d63bdc185adbc1a88c9616

      SHA1

      d0b4af3cc18c3c6895794710a40f5a77086e8924

      SHA256

      2f34e5a074ec267e8522c1d5ae8fd5cb805218bbce4e2b8fd697eb51e4636865

      SHA512

      2b072f3695527e7c5cc8d7a1d85286cfb77d686526daca47e710114f1645c15bd2e6e140c3744278e5a92d6678627ccfddbcce48b1ab3b010cb97b66abf04a02

    • C:\Program Files\Saturday

      Filesize

      70B

      MD5

      a023df8e6eabe866ca96b1888fab3d2e

      SHA1

      265945fd9d470e45c8f012db551461a2a426b587

      SHA256

      f5cf220a6c9234b1fd5f76c966a4c2e049bf66e4b0bca1c8cced1ef01650e51f

      SHA512

      af7355442291f0fec1ad26e64c901da5f22fd1bd705db4d614d90dc3c9a501585fc5e671947629c5020acbc6568448855e1b09f9f2f2cd6dc673d4a12757b1ad

    • C:\Windows\SysWOW64\sfcos.dll

      Filesize

      48KB

      MD5

      98c499fccb739ab23b75c0d8b98e0481

      SHA1

      0ef5c464823550d5f53dd485e91dabc5d5a1ba0a

      SHA256

      d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087

      SHA512

      9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

    • C:\Windows\SysWOW64\systemp

      Filesize

      4KB

      MD5

      1bc38d164c166eda1e6095a07ad25c1e

      SHA1

      e638bf29cd0579e6a7170eb18194879b01a21086

      SHA256

      cf449c0f6af9dcf832804aa2a66f12531ecfbaf89f5789ce0bdcb946aafd06d5

      SHA512

      1b6ac09e42ad1922d589ca1b4cf6bfca5652e8bab9f381ef982ee30e7e9192d426446f1538380dd152ba9ecb9a1b2e5d74e0082ad943dfcf662eb5a4744c9752

    • \??\c:\del.bat

      Filesize

      270B

      MD5

      b7d6eb4a179396310db90c402a577fd5

      SHA1

      c1236c9ed58afef128e0163b7a8153a4bcfd09d0

      SHA256

      66ddf91b5503f0c9063d51a3499cfee1964e2dc4540941c6948c23da9e8bb22c

      SHA512

      7a4e7d44b27494fc647da0abb0d8d8f6a374b72862572a93b2e07235fed003af4597dcc566ac58d6785ca606a3c4a99c215a3c4f00399b20d3dbba2bb6a6ddcf

    • memory/3168-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/3168-16-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB