Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/04/2024, 14:06

General

  • Target

    e7a1c76348e312d3283a9ffd8d4666f8_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    e7a1c76348e312d3283a9ffd8d4666f8

  • SHA1

    0033583fab7f91bed1e98fa9f6fbca6194189861

  • SHA256

    42bade7a7d1828e0f9a35b471c9230439c518935ad6ca89ae6f9479966750f37

  • SHA512

    15ee4e43802280921ee053f634a0f6f5cb4bc4a4de547cd75557f90660dc82fb413103b7786d61635d8b933e9806d68752c897485da733d4087f5a3c2d8ea7c4

  • SSDEEP

    49152:OFUcx88PWPOpX0SFohtNjbTmWbGVdzIKJa4eR6OPgCj4kyGc:O+K88uPCHWWWbG/zF04eUOPgk4kyGc

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7a1c76348e312d3283a9ffd8d4666f8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e7a1c76348e312d3283a9ffd8d4666f8_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Users\Admin\AppData\Local\Temp\2980.tmp
      "C:\Users\Admin\AppData\Local\Temp\2980.tmp" --splashC:\Users\Admin\AppData\Local\Temp\e7a1c76348e312d3283a9ffd8d4666f8_JaffaCakes118.exe CBD70694CC54B3D38E6C328DAEEDB19CC2011A4140A30AF5D5AA93CD3A5B8EDFF7E6B1E2E0AF6D693FE7931AD31F02607CA3E8FC1731FF764E37B65BF6166B85
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e7a1c76348e312d3283a9ffd8d4666f8_JaffaCakes118.docx"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\e7a1c76348e312d3283a9ffd8d4666f8_JaffaCakes118.docx

    Filesize

    19KB

    MD5

    4046ff080673cffac6529512b8d3bdbb

    SHA1

    d3cbc39065b7a55e995fa25397da2140bdac80c1

    SHA256

    f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680

    SHA512

    453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418

  • \Users\Admin\AppData\Local\Temp\2980.tmp

    Filesize

    2.0MB

    MD5

    e1f4ae4469a2bfd299261faa573a569e

    SHA1

    8ebc4c519d17318f710bf836ef0bedd4e40898c3

    SHA256

    dfe66441a9a3fa55e487fb52b9f8bcbf9b4e18e1e38b9beb1dbc8739426ce203

    SHA512

    956658256417eb8e0fd2344882ac6dd69eee1f850a963422b5857a049ae1466c664ef595c2cf0a40d12549484f21fcb3cbdd456ad4168dafce12130a41a2505b

  • memory/1260-6-0x0000000000400000-0x0000000000606000-memory.dmp

    Filesize

    2.0MB

  • memory/1996-0-0x0000000000400000-0x0000000000606000-memory.dmp

    Filesize

    2.0MB

  • memory/2084-9-0x000000002F101000-0x000000002F102000-memory.dmp

    Filesize

    4KB

  • memory/2084-10-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2084-11-0x000000007117D000-0x0000000071188000-memory.dmp

    Filesize

    44KB

  • memory/2084-15-0x000000007117D000-0x0000000071188000-memory.dmp

    Filesize

    44KB