Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 07:23

General

  • Target

    2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe

  • Size

    227KB

  • MD5

    2d26ff8c55b926673524852520e77a4e

  • SHA1

    7baefc1d929ecef7a9063775be4576fcf4d9cdc0

  • SHA256

    3e2a192d497afd016d0ca3e7bbb6b319ae1a88be89f60a4f3411d6243ddceb36

  • SHA512

    5e6ee837ff1ea3290562c8673f45787f88bb813614c77dfe39929746a7a26ffabbdc0f2697ed65435cbc8ad19b4e89acb610a0e8eb036eb1d342272425e6e01f

  • SSDEEP

    6144:dfOpM5uMf/j/lSCq0wWCBY5y3aiAGWd573slDD0Ig:dmpM5t3nFCBY5dikLsVE

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Users\Admin\AppData\Local\Temp\ins4532\ins4532.exe
      "C:\Users\Admin\AppData\Local\Temp\ins4532\ins4532.exe" ins.exe /e5682653 /u5062d47f-b8cc-411a-9555-12ab5bc06f2f
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Users\Admin\AppData\Local\Temp\ins4532\ins.exe
        "C:\Users\Admin\AppData\Local\Temp\ins4532\ins.exe" /e5682653 /u5062d47f-b8cc-411a-9555-12ab5bc06f2f
        3⤵
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:5064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ins4532\ins.exe

    Filesize

    254KB

    MD5

    473b7bc5d6fd58f3c86a29ff64035bad

    SHA1

    69a8bbb0ed0be2f66459030ccb77a6f8307d46f9

    SHA256

    107d940514fcd5cfe2e62d4e23357dd2eeef7543b082a4b959e11569aaf180b1

    SHA512

    2cb5c110c8e4aba59f3c6bed7b6dc4a4624538d906ad18be72e687f695ef825aad117457eab895c01295878dfe25e1b6b0ed25de29c6f1558e20ed6be3411d25

  • C:\Users\Admin\AppData\Local\Temp\ins4532\ins4532.exe

    Filesize

    138KB

    MD5

    9543c7e436381a7853e8182a35152e38

    SHA1

    3e828372157a880edde5e5621a7888900d686d76

    SHA256

    1628a5b49145659ebddd692829fd2c067569452f85769ef831376b8bb36c6c26

    SHA512

    cd82be11ffa1c17eb95a110741ba1199b38da11aaf13a40dd7c9de8ec4fa7a56a48e718cd1a30cd4fa47000a757e62c0fff4285c0b0af21460b3ea986b1951e4

  • memory/1800-38-0x0000000000230000-0x000000000028D000-memory.dmp

    Filesize

    372KB

  • memory/1800-0-0x0000000000230000-0x000000000028D000-memory.dmp

    Filesize

    372KB

  • memory/1800-31-0x0000000000230000-0x000000000028D000-memory.dmp

    Filesize

    372KB

  • memory/4028-13-0x00007FFC6E2A0000-0x00007FFC6EC41000-memory.dmp

    Filesize

    9.6MB

  • memory/4028-14-0x00007FFC6E2A0000-0x00007FFC6EC41000-memory.dmp

    Filesize

    9.6MB

  • memory/4028-32-0x00007FFC6E2A0000-0x00007FFC6EC41000-memory.dmp

    Filesize

    9.6MB

  • memory/4028-33-0x00007FFC6E555000-0x00007FFC6E556000-memory.dmp

    Filesize

    4KB

  • memory/4028-37-0x00007FFC6E2A0000-0x00007FFC6EC41000-memory.dmp

    Filesize

    9.6MB

  • memory/4028-12-0x00007FFC6E555000-0x00007FFC6E556000-memory.dmp

    Filesize

    4KB

  • memory/5064-26-0x0000000073DB2000-0x0000000073DB3000-memory.dmp

    Filesize

    4KB

  • memory/5064-27-0x0000000073DB0000-0x0000000074361000-memory.dmp

    Filesize

    5.7MB

  • memory/5064-28-0x0000000073DB0000-0x0000000074361000-memory.dmp

    Filesize

    5.7MB

  • memory/5064-35-0x0000000073DB0000-0x0000000074361000-memory.dmp

    Filesize

    5.7MB