Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2024, 21:23

General

  • Target

    422511d31784711ac906260eb82466aa_JaffaCakes118.exe

  • Size

    330KB

  • MD5

    422511d31784711ac906260eb82466aa

  • SHA1

    7e532e67c04c5d1abd64f7d56a55c61e301dac55

  • SHA256

    0aaaacba440e3b7238cd8a6e139e77566e9f6c801291b7bfb92cd2aab87abbd8

  • SHA512

    01ab8120e539e9d01ea6c5acb63f1cdd849a9b086eae470f21e940923e3832b0bd60072b74e36211e182a0e2a887656cff01294cc449a525527bc375cbe3a51e

  • SSDEEP

    6144:VBEN8cPuxcV4xohBKas3Rb9ixTuQp4vmk/hXtvg+yi9FLQjb2Z:VBExPu642shbUxlp+jRtvWi9NmaZ

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\422511d31784711ac906260eb82466aa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\422511d31784711ac906260eb82466aa_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4296
  • C:\Windows\Hacker.com.cn.exe
    C:\Windows\Hacker.com.cn.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4252
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      2⤵
        PID:3856

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Hacker.com.cn.exe

      Filesize

      330KB

      MD5

      422511d31784711ac906260eb82466aa

      SHA1

      7e532e67c04c5d1abd64f7d56a55c61e301dac55

      SHA256

      0aaaacba440e3b7238cd8a6e139e77566e9f6c801291b7bfb92cd2aab87abbd8

      SHA512

      01ab8120e539e9d01ea6c5acb63f1cdd849a9b086eae470f21e940923e3832b0bd60072b74e36211e182a0e2a887656cff01294cc449a525527bc375cbe3a51e

    • C:\Windows\uninstal.bat

      Filesize

      218B

      MD5

      a3f4f78a20fd78f95fa16e29e3051a33

      SHA1

      0a88f61e47cb23569e757a6ea71c4a2b673a8a8b

      SHA256

      2a13dc6cc63d6fc4504f03689d80c765d69ef6fa64f6d4fea9946974729b10cc

      SHA512

      9a8e5a4c266c08c81e7e15afcfbf05e313a65528624630fe786c315dedf3906e2d9db616299fe706f3e0e3c6ac604d770caffa919169696138091aea8deb4989

    • memory/2272-0-0x00000000021F0000-0x00000000021F1000-memory.dmp

      Filesize

      4KB

    • memory/4252-5-0x0000000000E80000-0x0000000000E81000-memory.dmp

      Filesize

      4KB

    • memory/4252-10-0x0000000000E80000-0x0000000000E81000-memory.dmp

      Filesize

      4KB

    • memory/4252-9-0x0000000000400000-0x00000000004C6000-memory.dmp

      Filesize

      792KB