Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    07/04/2024, 18:19

General

  • Target

    e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe

  • Size

    237KB

  • MD5

    e58fe6d04e8d9fce1020f532d3f0bd49

  • SHA1

    504dfc0032b65aaf1cd3185da709ce8c9b0daa24

  • SHA256

    e60ee107dd301de376b081552a287deb122a6e3b504acb2d9bf925e4b1f2dcf7

  • SHA512

    d7665bf5c8843524b11f52f365576d8c55370a144805e6da6dbb17d1074d5d31b8544833509336f9ca07272622a61ce6205b4082a12fe387723c405d267df3cb

  • SSDEEP

    6144:F6cPpODxCdS7eOUQ41x2IZrEurubYTvCV+CmdP8nyMI:FVcCIIZIuBTvCVaus

Score
8/10

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c DelMe.bat
      2⤵
      • Deletes itself
      PID:2680
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k krnlsrvc
    1⤵
      PID:2748
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k krnlsrvc
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      PID:2668

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\DelMe.bat

      Filesize

      212B

      MD5

      316eb5dd14b7214f9bfae9604d554ae8

      SHA1

      ae4bdaf209f7e4c4ff8204940803bebb0fb621ad

      SHA256

      2082536f6dbb095d76e39546d52d24ea0a4cd1eedec24c071fe537db793e9f80

      SHA512

      3ea38b9f9e803348c82c933e1a734f7e3bbb2ab132065032e86d5ce524d65b519642595b94567b7223cc87aa0547594bf1a28eade1e96e7887ec01c675c5c0d6

    • \??\c:\windows\SysWOW64\tccj.dll

      Filesize

      29KB

      MD5

      7aec29935cd17c94ddec5daf65850a4a

      SHA1

      199716bed3b3685eed134836364b143af53afe97

      SHA256

      ba8c0e103051dd5dfa6f7ff6fdfae80d28a390d8008c177fd96f5ad6d6a30843

      SHA512

      ad5f24bdd5f779a4a3aff9229509eb3f6f405e367d1e1d6012377dec2d2cfd1e279b38a8d39a3ff5d09b3898197eaf257bae5ae1647af7f3ffba3c6f0529c95b

    • memory/2668-19-0x0000000000020000-0x000000000002D000-memory.dmp

      Filesize

      52KB

    • memory/2668-23-0x0000000000020000-0x000000000002D000-memory.dmp

      Filesize

      52KB

    • memory/2836-0-0x0000000000400000-0x000000000045D000-memory.dmp

      Filesize

      372KB

    • memory/2836-2-0x0000000000400000-0x000000000045D000-memory.dmp

      Filesize

      372KB

    • memory/2836-1-0x0000000000220000-0x0000000000238000-memory.dmp

      Filesize

      96KB

    • memory/2836-3-0x0000000000400000-0x000000000045D000-memory.dmp

      Filesize

      372KB

    • memory/2836-6-0x0000000000400000-0x000000000045D000-memory.dmp

      Filesize

      372KB

    • memory/2836-4-0x0000000000240000-0x0000000000241000-memory.dmp

      Filesize

      4KB

    • memory/2836-9-0x0000000000400000-0x000000000045D000-memory.dmp

      Filesize

      372KB

    • memory/2836-20-0x0000000000220000-0x0000000000238000-memory.dmp

      Filesize

      96KB