Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/10/2024, 14:28

General

  • Target

    6f64a36e04850929786e5c23375f4fb6_JaffaCakes118.exe

  • Size

    28KB

  • MD5

    6f64a36e04850929786e5c23375f4fb6

  • SHA1

    926e54269dc99d556ab9f5d6a383cea24fb91635

  • SHA256

    82c644e7daafe7b35055c37e7f0f14195866134c5942e8be89000de628cf475c

  • SHA512

    398f55e6af62063792731faaf4cb6acc06f19d8c558253507d548fddebf3198735fe09e9a7234b1d5843aaff09b7aa3e1d41ad0a7dfbdf9c319f89662dce3e1f

  • SSDEEP

    384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNiAshvG5s:Dv8IRRdsxq1DjJcqf05s

Malware Config

Signatures

  • Detects MyDoom family 8 IoCs
  • MyDoom

    MyDoom is a Worm that is written in C++.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f64a36e04850929786e5c23375f4fb6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6f64a36e04850929786e5c23375f4fb6_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\services.exe
      "C:\Windows\services.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:4464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G94T3PNL\default[6].htm

    Filesize

    304B

    MD5

    68b8c190a6eab85ea8f4835df8de79c5

    SHA1

    43832bc2b2457c1431ecbb203f471a21c93ab69d

    SHA256

    834c833dc3ad979c81ed54b4655d98f59bc679682a6738a3490355ccec21f7e9

    SHA512

    98bf33e57e5b94a70843489837de4773ae6c709b1e6b77c27280af04c30c33918c7a513c05c17e60e868d13cf8394dc26ea04b000c812d9601edd990b7ea5cf5

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G94T3PNL\search[1].htm

    Filesize

    25B

    MD5

    8ba61a16b71609a08bfa35bc213fce49

    SHA1

    8374dddcc6b2ede14b0ea00a5870a11b57ced33f

    SHA256

    6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

    SHA512

    5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PTWQX4L2\default[1].htm

    Filesize

    312B

    MD5

    c15952329e9cd008b41f979b6c76b9a2

    SHA1

    53c58cc742b5a0273df8d01ba2779a979c1ff967

    SHA256

    5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

    SHA512

    6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PTWQX4L2\default[3].htm

    Filesize

    312B

    MD5

    e5c2364375c0a8a786a9508a840b6299

    SHA1

    bec1874db0d2348274b6656d1383e262f73e2bc6

    SHA256

    51b67ae1066eb179562cf80a8a156bbd4b139b83072f610bf62c0b6d58ed17f3

    SHA512

    ee19a8fa40bc7e991ac289eb30ceec8264d6071f124e99791022961c99f25b97def4f13fa96149eb52786d1104d85d20410e65a333304c0df6ba858472a557d3

  • C:\Users\Admin\AppData\Local\Temp\rxkn9ioex.log

    Filesize

    1KB

    MD5

    57bcef622ef5a8be127e13885f41ba19

    SHA1

    601af559bdef19199945f1fc0341d026e6bbacbf

    SHA256

    0c76312ec532015f856995c761244bc533253e9a47d1ef7cd37f083811f4a0a3

    SHA512

    628da061f24cc3bd71ce7d3197d775122695afde05193a6451b5662d19d95c7495326f668aca7c147e090c8f9e907104a4f8a1c789052a7c9cc1bfb617221798

  • C:\Users\Admin\AppData\Local\Temp\tmpF940.tmp

    Filesize

    28KB

    MD5

    320108bba39c07dd4b4f33a6dc287834

    SHA1

    c3ae36228e578ea9ea43aa470c7662a7373564dd

    SHA256

    6560dbd3a6058ccc4ee4b5baf727ae549417a68716d15ab03a36baf2b0a11149

    SHA512

    202b5bd512331e3b274aed180850a7720383252f4303e720c89537ebd6a3a1f1a247e24cfca5e451e6688159bc4b57bd6f6f3803af05a395b0a784f3f8eadbd5

  • C:\Users\Admin\AppData\Local\Temp\zincite.log

    Filesize

    1KB

    MD5

    d1d94e065980027eaf7372c4c9ed8b2d

    SHA1

    ed6c439e485f097c33430fba45a21a6b0ebc45d2

    SHA256

    702449634fafae673132c903728606a496bea6e0fd04ec765578beee3aa6a573

    SHA512

    8e0c25c59cab54fbd92de8cab7b27055c7a86a86cb78b6452bdaf4fbcb6b06a2d69ab96c68c85642e69bbc15dd02058dc0596f3917597d76fead9f29dbec694f

  • C:\Users\Admin\AppData\Local\Temp\zincite.log

    Filesize

    1KB

    MD5

    9b6dd21295e88e76611c5173bcbb8245

    SHA1

    167fd121ebe12d267d9c877486ae9c48d607c63c

    SHA256

    14f8d447dd7257e1b71204ad88447b1b8be080c053562d8bdbfd9480d23004ee

    SHA512

    f05b421f3b1116f2636d21ea62371556d2e47d389b006a51fd8118141d9e94d88a328047fe0b5c783eb0f8f233e181aded7eb90ee20f2d4a08a9746d2d06a11c

  • C:\Users\Admin\AppData\Local\Temp\zincite.log

    Filesize

    1KB

    MD5

    a8e7a81973b3a56d6ed1c0f5bae2ff3c

    SHA1

    9b16614634d8b6e30391944646bb30768fe8323c

    SHA256

    33d9c696cf310af20fc4d34a38ed576b88fa76b92d910d5102b68e57ba2f9032

    SHA512

    bbe5a2b5e9848b5c9e3ea9edf037547ce3f9d06074cdfd6bcfca169390533133b149445661c2f8874958856f37d522f4f4d2726659d64e3e932cc1ec2090d4e1

  • C:\Windows\services.exe

    Filesize

    8KB

    MD5

    b0fe74719b1b647e2056641931907f4a

    SHA1

    e858c206d2d1542a79936cb00d85da853bfc95e2

    SHA256

    bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

    SHA512

    9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

  • memory/1988-169-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

  • memory/1988-149-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

  • memory/1988-13-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

  • memory/1988-44-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

  • memory/1988-219-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

  • memory/1988-183-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

  • memory/1988-0-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

  • memory/1988-164-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

  • memory/1988-111-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

  • memory/4464-26-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/4464-28-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/4464-16-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/4464-117-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/4464-150-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/4464-40-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/4464-165-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/4464-21-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/4464-170-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/4464-15-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/4464-33-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/4464-184-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/4464-45-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/4464-220-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/4464-38-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/4464-6-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB