Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/04/2024, 03:22

General

  • Target

    ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe

  • Size

    958KB

  • MD5

    ec90ac0413219680a3053c8e2d5c7a88

  • SHA1

    96c6c6c5c41015729cf1a6494dc1d612d0428dd5

  • SHA256

    73c139f8dcd67af1ba85ed9a395c15c7508e1ed095e6c6e70f187cb32b2261d6

  • SHA512

    1e269826e38f61a9bfba0e94a3bf2bacb10bccb1ddfccf829f60da20b9ccb0025b949c70830412c3980a945b557f56ca49a181376258fb1595df54d0c22858e7

  • SSDEEP

    24576:Szm7SY2vSk4s0YvK9Cobdvlo8V22PKG7sD5ZvDI:4m7n2vSkbv9GNvUVXvDI

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Users\Admin\AppData\Local\Temp\ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe" /TN 5xzkGEJ1bdbc /F
        3⤵
        • Creates scheduled task(s)
        PID:2512
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c schtasks.exe /Query /XML /TN 5xzkGEJ1bdbc > C:\Users\Admin\AppData\Local\Temp\La5lvmS4.xml
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /Query /XML /TN 5xzkGEJ1bdbc
          4⤵
            PID:1604

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\La5lvmS4.xml

      Filesize

      1KB

      MD5

      2465db4238c99153878292c7be781d26

      SHA1

      2cc3b0590259b9123d7eb28e69665d43b22127a6

      SHA256

      76acb745969bd74a46ce7eaea89afb0056f62a890140fa8df8a3a7a422012768

      SHA512

      0be13cf5ad127b6dbbaf91608929d195700ea69dfc7fd62f47a909b28751149d2f84408449aaae5c7649272e4a98b2f6807d4675db65212201d9083e2f91a5a7

    • \Users\Admin\AppData\Local\Temp\ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe

      Filesize

      958KB

      MD5

      b84cd11566d914c3d91472765a4fde46

      SHA1

      f88bb440c0dfc399b69dfb55269f68142c0bda5d

      SHA256

      a7a94b520510e7adb74f1264fec574f9345a8af078b678d876e6bd59264d2d08

      SHA512

      0df8bb5958b4e1bed361cad2b89d4c0ba71a020ad947c9d555e0855b3c70fc8e950cda254f43369d5ef1de1946ac8be2b24c11c657b144d5f87999f7219ba9d4

    • memory/2012-0-0x0000000000400000-0x00000000005ED000-memory.dmp

      Filesize

      1.9MB

    • memory/2012-1-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

    • memory/2012-3-0x00000000015F0000-0x000000000166B000-memory.dmp

      Filesize

      492KB

    • memory/2012-16-0x0000000002EA0000-0x000000000308D000-memory.dmp

      Filesize

      1.9MB

    • memory/2012-20-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

    • memory/2476-22-0x0000000000400000-0x00000000005ED000-memory.dmp

      Filesize

      1.9MB

    • memory/2476-19-0x00000000015F0000-0x000000000166B000-memory.dmp

      Filesize

      492KB

    • memory/2476-27-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

    • memory/2476-32-0x0000000000470000-0x00000000004D9000-memory.dmp

      Filesize

      420KB

    • memory/2476-55-0x0000000000400000-0x00000000005ED000-memory.dmp

      Filesize

      1.9MB