Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/01/2025, 12:55

General

  • Target

    JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe

  • Size

    1.9MB

  • MD5

    8c450ef4b459456b4b037dbb321619a5

  • SHA1

    3a84b8c946a16accb03cb173c87ab465fbbd1194

  • SHA256

    4e398a335174371bee9882621b81bef435d9b8c013bd934b9f2f956703b8c7be

  • SHA512

    8a11f93a2bf39272c7e768ff636a36a4faa2d424aad6588b59d188355e23627a2107fb58f77f5520caeed48138b0683d6397951426c6e0aaedcae42c6986558e

  • SSDEEP

    49152:ydOjNXMu8VaWg/IbwsYRxUGXET3pbjX6JyytOdsi3:IOjtMaWZUxUfT35X06si

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4356
    • C:\Windows\SysWOW64\Cloud AV 2012v121.exe
      C:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Users\Admin\AppData\Roaming\eBrzPNycAuDoFpH\Cloud AV 2012v121.exe
        C:\Users\Admin\AppData\Roaming\eBrzPNycAuDoFpH\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:1424
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\ahst.lni

    Filesize

    908B

    MD5

    4eeed78419fb6410bd42cbf7d8ea247a

    SHA1

    c9a618a5da5c022dd3a76417f94ed5f6bd737aba

    SHA256

    ac8fc99207f1ea3a1408fcdc2d16b4cead6729f9ac7f30218fd1b5af20a753a8

    SHA512

    d7ced5f25cba770a0fb5db7913d158d2af2609d9498136aaa68cce7f41c635bd1b7101eafc98e668026e31261d4381d601a91bcdb00b37cfe696fe46d69113ed

  • C:\Users\Admin\AppData\Roaming\ahst.lni

    Filesize

    1KB

    MD5

    d714fe807a8f786bf8f56406bdd6ee85

    SHA1

    292e4a3a333c0680d2e91d3bcefd39235060af68

    SHA256

    79cc0cc5dc6b9ff05862b40c1aa7b952df37ae92fee2262afd834f901c740c1b

    SHA512

    835fc07d5888c71b25b3492aa23d4464cb3bdc8df5f517c5470d52c6d0671fcd69af682179d02886170acba000480150bde9fd956c9dd80c1a765ada555e9d49

  • C:\Windows\SysWOW64\Cloud AV 2012v121.exe

    Filesize

    1.9MB

    MD5

    8c450ef4b459456b4b037dbb321619a5

    SHA1

    3a84b8c946a16accb03cb173c87ab465fbbd1194

    SHA256

    4e398a335174371bee9882621b81bef435d9b8c013bd934b9f2f956703b8c7be

    SHA512

    8a11f93a2bf39272c7e768ff636a36a4faa2d424aad6588b59d188355e23627a2107fb58f77f5520caeed48138b0683d6397951426c6e0aaedcae42c6986558e

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    1KB

    MD5

    50ab0dd716dd66ad0c3eb5fb63f2f118

    SHA1

    bd9641078264b2135d3b3b0007c98f977d057960

    SHA256

    1f9037b078250201c92f8e1ea1ad3023011039c76a5aa74d3710edc452fc6517

    SHA512

    24c0b8ca8650fb50f81b9a89bbb7e8e5492b303b065fbf846c55aeb76c9fc41ebb5b9c6163d168a1362941720473486fdf2596dab4764176ebb348ad264b61d6

  • memory/1424-131-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/1424-88-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/3028-12-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/3028-18-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/3028-11-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/4356-1-0x0000000000400000-0x0000000000914000-memory.dmp

    Filesize

    5.1MB

  • memory/4356-9-0x0000000000400000-0x0000000000914000-memory.dmp

    Filesize

    5.1MB

  • memory/4356-8-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

  • memory/4356-2-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB