Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 09:08

General

  • Target

    2e734811b8fd40255183a8068c937011_JaffaCakes118.exe

  • Size

    348KB

  • MD5

    2e734811b8fd40255183a8068c937011

  • SHA1

    96701e3f2fa7712aead95d41251a0787116f2ea1

  • SHA256

    d4f2a917898747b2925721cacbdd09d4ea29dce9fd6380d8e2f8c1904197080a

  • SHA512

    0b3cbd4a8fd82bbfe9f8fb4ebdc3392772acbfc84f405ebd42d3275fb2e081aaacb42da0c117207a9143ebfef2f4023704061b19e3b17c3072235a6d3f03b3d2

  • SSDEEP

    3072:eeqSbnq+h4RQw9SJH/qxSXNXy0jJz3wvg4mnedvYCq8rPLIzJND+LF6M0jk43p:eeqSu+hcKqxSFUvgdedvdq+MzDAUY43

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 4 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e734811b8fd40255183a8068c937011_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2e734811b8fd40255183a8068c937011_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\System32\htvqa.dll
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:232
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32 htvq4.dll , InstallMyDll
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2804
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\System32\ggsss7.dll
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2556
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 375O540.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\375O540.bat

    Filesize

    2KB

    MD5

    b918cbefcb81cba5bed5d95a678e20de

    SHA1

    50d86a21a48f634358560cf0c377b830b638c314

    SHA256

    1d4407d8e6c736dca851c7380b67d119e8d0479f792d18a2afb0c1ef9d42c9a6

    SHA512

    098bccf4d52e8d5e986b7f46e882a39995bd730fc0d0d0a9ebcc7639ee0c2572a3afd2698770089f5441b0f07776bc1c6bca3906d0e829e12073c8da840903ff

  • C:\Windows\SysWOW64\ggsss7.dll

    Filesize

    44KB

    MD5

    8905be9225b99b77466e077aecada2b0

    SHA1

    f3ca04bd03bb6d256da05d7b2aea462a180712e6

    SHA256

    e3db304da80ee588abfcf68886fdc7d3471f44b74d68b8bb0dac900972b369df

    SHA512

    6d15734a5a8f31e5219f9645d5b5806302c0f3f3e5705e64fd2bf1e885a5016aa4371a215845b508840442563b323018796bca85dd6ec2291dc416d98b07b367

  • C:\Windows\SysWOW64\htvq4.dll

    Filesize

    116KB

    MD5

    4b671fa7fad4bff457497d83ee5e1b03

    SHA1

    961388419b33fdefe34705eb841f16d4da304c6a

    SHA256

    09564b7c5d410f0d2c8ebbf016489e11591b0a3914d8fe3072cf78fc6d31b9c3

    SHA512

    65185d3d0a14446bb905f054a95d6a4c172e829652ae60709484835becca49dc7fc4f93b2dff56214bbcb8b7fc38d2afa19c85608aa2fc239fb3d71461a8c4ec

  • C:\Windows\SysWOW64\htvqa.dll

    Filesize

    40KB

    MD5

    1aed9bb654aeb1c97011e961f91d231f

    SHA1

    e83d0c8cb058708a41ed176448d61df9f13b213f

    SHA256

    7f905aa8222008c0052786ec54361ec04fbf79bbc2dfe8e18b615c3541b6cd65

    SHA512

    6191f3e8ba95b5ae6dc653562fb6c340e350956ba22f806fc0c6729482b4b17da6fdb46fcbe66bff31fa39c2628daf8b9760121c2455e017af616ca2e9474078

  • memory/1820-0-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

  • memory/1820-7-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

  • memory/1820-13-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB