Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    07/04/2024, 23:21

General

  • Target

    e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe

  • Size

    23KB

  • MD5

    e6195002fecd1cd970e80ab5b2318974

  • SHA1

    c40a15e0f8b2e521f0ae481b3339d2893970a178

  • SHA256

    bbe0a9199a171bdb993b8882ab6625a34304a2fa8889ff37b7e6b281d699cbe5

  • SHA512

    445ca53a48fb6b04ca9f333a9aa9cdd311ee3e6b82a7c60ba168bd2e7525a0066a0dc04462064ebd339b6ba2db3ac3f7fde26cafe6f4484c5d4abafa412d742d

  • SSDEEP

    384:TtkAsyopTxyeDSsKR8wFB0M0Ro551Fa+wmG9C41fKV5uakl5kNzIyeqgbueo:aAsJRDSsKRfB0M0Ro55fomGw6fKeaWk9

Score
8/10

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 6 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe"
    1⤵
    • Sets service image path in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall set allowedprogram 'C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe' enable
      2⤵
      • Modifies Windows Firewall
      PID:2044
    • C:\Windows\SysWOW64\kernelwind32.exe
      C:\Windows\system32\kernelwind32.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall set allowedprogram 'C:\Windows\SysWOW64\kernelwind32.exe' enable
        3⤵
        • Modifies Windows Firewall
        PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\dllh8jkd1q8.exe

    Filesize

    362B

    MD5

    96dacbc0d6125a5baf02d286ea2d8277

    SHA1

    726416cce8f3b661070f9b3f30ea212e4621503e

    SHA256

    393921ae383f661a60cdb247d8600242daf919f0dfb4b1061f0ab5c7a922f443

    SHA512

    8cb5e28296ad8bcc47de26780b60fc51f81006dd04775aa0332ccecff64f7434b2ef33e17ad81ca96b16c44118bbfa19fb4325aca4eeeaa93f1d767050d2c4e3

  • \Windows\SysWOW64\kernelwind32.exe

    Filesize

    23KB

    MD5

    e6195002fecd1cd970e80ab5b2318974

    SHA1

    c40a15e0f8b2e521f0ae481b3339d2893970a178

    SHA256

    bbe0a9199a171bdb993b8882ab6625a34304a2fa8889ff37b7e6b281d699cbe5

    SHA512

    445ca53a48fb6b04ca9f333a9aa9cdd311ee3e6b82a7c60ba168bd2e7525a0066a0dc04462064ebd339b6ba2db3ac3f7fde26cafe6f4484c5d4abafa412d742d

  • memory/2360-12-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/2360-24-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/3040-1-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/3040-10-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB