Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/04/2024, 16:49

General

  • Target

    f18634cacad918b0425c9a7dddf0d022_JaffaCakes118.exe

  • Size

    24KB

  • MD5

    f18634cacad918b0425c9a7dddf0d022

  • SHA1

    fb2c8d42bc519f7f430093811019afc0139d42c2

  • SHA256

    768f4f1f222a2a2f47799b0eb0874dca215d7b5918ee429c07d7d62a481b7e9d

  • SHA512

    0b7c51c26d1eaa61b829cb23a26d2029c98f1575d646a19ca99a092af75f46807af8a295e2a2574acd16925a4a4082a73341a1b821c835d57c0827c4bc4fe2b9

  • SSDEEP

    384:E3eVES+/xwGkRKJraRlM61qmTTMVF9/q5n0:bGS+ZfbJmO8qYoA0

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f18634cacad918b0425c9a7dddf0d022_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f18634cacad918b0425c9a7dddf0d022_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c set
        3⤵
          PID:2952
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /all
          3⤵
          • Gathers network information
          PID:2476
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2488
        • C:\Windows\SysWOW64\net.exe
          net start
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1224
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start
            4⤵
              PID:2764
          • C:\Windows\SysWOW64\NETSTAT.EXE
            netstat -an
            3⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:2528

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \??\c:\windows\temp\flash.log

        Filesize

        8KB

        MD5

        524361c3438360fa3470220f37014178

        SHA1

        ba25338b13edd67380e9837267ba5bfd8d87e1b7

        SHA256

        30347b219912e52fad5f624488d3bb7faae24747670c48a20093174506307384

        SHA512

        1e9f60c4c813194087baf5b1fe197e3f977092b76e98f93fd1d67ebc143538be65ff70bbe939c7a91db467ad65f13a70bad32301cbb6d2c59d77a4cb1b9e47ab