Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/01/2025, 17:21

General

  • Target

    JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe

  • Size

    1.5MB

  • MD5

    64faf7f0def69d994bf0e5c5a0358d49

  • SHA1

    e0c7a65dff26c70d02e5880c1b931fd5faf39f10

  • SHA256

    d71b135996dadb5f83321c26562bda351aae22c2425970747d3b5631e7cbb08c

  • SHA512

    c7494a3ce4164ed36e42a2301d5575d20fa42b99bd828648deaeaf0514681f98419c86570cada538f01280a5ae6b3c7a89677f39cb730b620acee606f523a7de

  • SSDEEP

    49152:VefQxfVKFD3sIIMy+qlhKRe0qnwwT/E+Yzyu:QIVEcUReoxTd

Malware Config

Signatures

  • Detected google phishing page 1 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3440
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 568
        3⤵
        • Program crash
        PID:1824
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE
        3⤵
        • Detected google phishing page
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3176
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3956
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:4340
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE:*:Enabled:MSWin64" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2796
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE:*:Enabled:MSWin64" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:3664
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:4964
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE:*:Enabled:MSWin64" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1344
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE:*:Enabled:MSWin64" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1564
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\melt1.bat
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4036
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        PID:4388
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3440 -ip 3440
    1⤵
      PID:1940

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe

      Filesize

      1.5MB

      MD5

      119ac17a9ff4f3b1e1a7a310668b2902

      SHA1

      e35e52a52e7e437c812efc13abacd9ca50c504c9

      SHA256

      477fdae70db1b4fa00ebcc5351389303b6283325133b74f2c70a00067cb73d92

      SHA512

      52c703a8bba555754a7125370b0bb6c41a39e289672e2c48d9d589bd07143f70f3056cc04bb6dbf20c0bb667fb6105101ba136d56c3e6673cb5696b7df2240d1

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE

      Filesize

      12KB

      MD5

      ef7b9a68ff6f39725d0fe5a393b8a5b5

      SHA1

      45b877c185587b23557869ec1bcce36548e95d08

      SHA256

      3627c93ae4b6ceaa11d14c850d7abf4f50f6ebe9c7fd3f3583876014ca141b60

      SHA512

      403d980a08dabff771eb95b0e38949cabd1b42fdad9c7983938523c93d2c4ccd2890de6eee0add5aef5d8c2750711c5968eb0c613f7f086bd651f2e70273f5bb

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe

      Filesize

      1.4MB

      MD5

      2302eace8e12fa460b14c2e6764ac952

      SHA1

      e5caeb93f82243eec0d8f7fdb15efb3edc8c7386

      SHA256

      b19b5b4e514e71c32861a2c70d8c5f07a2c83af2f5c36e1b41e1a26c856c88da

      SHA512

      105676ae255d64101cb1aa7b2c6ceeb8301d5b12ae66d7542c99126c96b7606ae4a4af8ce9f07fb1ef746350f50e9b66d5d2eaa2c1cf946a2f3c3b713e8abf8c

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE

      Filesize

      32KB

      MD5

      4f597e155aa341b31c256c70f67a097b

      SHA1

      c32cd541d971e6f823b085e0bea2579e5764a77f

      SHA256

      694ce71682d85d6c56c6ca20f9d9ff8e558166ec228602d2a6cd60ac197401e7

      SHA512

      6fc82a0959e42bf53d82491a565f8dbfa7a52f1e9b8bc98d5725d5fcc4dc2e377cf7a9adcb60d86fd3d816948bafc5439016f6728cd79d3426ee0586cd554af6

    • C:\Users\Admin\AppData\Local\Temp\Setup_ver1.1433.01.exe

      Filesize

      863KB

      MD5

      0c2450793d726f341f6870737a5d8437

      SHA1

      14106a326bf8b088c4b4c756dcb0adc6b2e2635c

      SHA256

      cd3fa12a3a450bffa8b8b1d3652073b2936960a6129df35c7ab37fabd7eae4f6

      SHA512

      ca634f978c982b7414c5925913bb0079f4d89e8783970b49cd2bd1f62ca9f6a44ce6d901bbfe5145c2e7d989d18b020d28723b069dc2a3a14656fd09a86a0412

    • C:\Users\Admin\AppData\Local\Temp\akkarik1.exe

      Filesize

      863KB

      MD5

      9f58363d60a4a95aa9aedbc524d315d0

      SHA1

      8ff2c023521babb322696e928d7d7edf093a3a20

      SHA256

      a61b0a185d31a6ec2eee965046780f9afb6a8d4c528d8f92ed7ddb51d31d5f90

      SHA512

      927961e06b0b12c3c3101b19b74e9b5430bff25bf096e37f83c8ba5646c6e90f6302822586605fa9173713f7a6275ee269dfe5ff11ec602666ac2e14e2f4239d

    • C:\melt1.bat

      Filesize

      203B

      MD5

      90245e810be808bf8c77944cecd52b2e

      SHA1

      a6e903e06279ef15250c9303f5620e4620b5b38a

      SHA256

      e003882084d68483bf76bdc4d21cd4f2e853aa9c000f165e16ebef3c60509f76

      SHA512

      c7c790293584ac991ccede4b60e669e5544815c1b1de469d70c1334aa565919d425c78217970d482b92c4325fb1c777860b132ec0453823f824dfc9641db6f32

    • memory/3440-8-0x0000000000400000-0x000000000090D000-memory.dmp

      Filesize

      5.1MB

    • memory/3440-7-0x0000000000400000-0x000000000090D000-memory.dmp

      Filesize

      5.1MB

    • memory/4388-63-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/4388-64-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/4388-79-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/4388-80-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB