Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2024, 04:42

General

  • Target

    55890b1d134154075271bd0b860cd2d8_JaffaCakes118.exe

  • Size

    42KB

  • MD5

    55890b1d134154075271bd0b860cd2d8

  • SHA1

    f50629248347c42c43dab378cc9963950da140d0

  • SHA256

    02e235ccc12f14cfbffbe3abd8c79b2f53634cd6ebc39dda4c39e9b9b28bf604

  • SHA512

    46a78634272127b9a8556fb6eb584141ab56b65ffd486d4566a6ac5eae84d77eaea77ab480c125d2a7c48a7d1006894c95f978e96dfecf649c996ce40e510fba

  • SSDEEP

    768:MUBkQmoq5/DkgLTGLqWJ1W/SYEoTjerNDp4rZOawQfRZw7nwWXtRn:FGNQgLyw/SxoOZtIAabZAwW9Rn

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55890b1d134154075271bd0b860cd2d8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\55890b1d134154075271bd0b860cd2d8_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\Windows\winlogon.exe
      "C:\Windows\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3704
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2696
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4528
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4528 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\ie-zook.dll

    Filesize

    90KB

    MD5

    bace891b441c0da1e64a012d7d475cd5

    SHA1

    80d93cf047c6503856d213e04d4812bcabdafded

    SHA256

    3b028d13a43b5c87efa4c2d192a1d17e0ea61b79256383a5202134eaae8d96eb

    SHA512

    54d2e4a7b8e4df6a3fbb5481966c198a924d6cdb79da41bc2f1748c91c32828e7e6a22b458d507eade3168e838ca7776ba3eba042ab300713511ab73d8747bc9

  • C:\Windows\winlogon.exe

    Filesize

    42KB

    MD5

    55890b1d134154075271bd0b860cd2d8

    SHA1

    f50629248347c42c43dab378cc9963950da140d0

    SHA256

    02e235ccc12f14cfbffbe3abd8c79b2f53634cd6ebc39dda4c39e9b9b28bf604

    SHA512

    46a78634272127b9a8556fb6eb584141ab56b65ffd486d4566a6ac5eae84d77eaea77ab480c125d2a7c48a7d1006894c95f978e96dfecf649c996ce40e510fba