Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    17/04/2024, 03:48

General

  • Target

    f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe

  • Size

    32KB

  • MD5

    f4f7e6f813317dfdb521e9a4c8701cb9

  • SHA1

    5e135676cf3dff7920469379682c8d99c317c0f0

  • SHA256

    a4470a3fc24703976217fd9aeb6758c8d09ead5ea8cdf114c287b559b63f0b7d

  • SHA512

    535e57f7eef29823e643bd93ea170ee1eb3572a1f521e6be76ee3bbef91de3a727e6c73909901f97dca9f038f76d9548626de1479d5ebff4b6de802987067e17

  • SSDEEP

    384:29oqDswpeD68I4c0hWQGyrEbwuA4d37SrFYg/9WLKSDZyn4f:2iaswMLI4cnLyrEbwuA4d37EYgsLvo4

Score
10/10

Malware Config

Signatures

  • Modifies security service 2 TTPs 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net stop "Security Center"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\SysWOW64\net.exe
        net stop "Security Center"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2444
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Security Center"
          4⤵
            PID:2180
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c net stop SharedAccess
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Windows\SysWOW64\net.exe
          net stop SharedAccess
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2928
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop SharedAccess
            4⤵
              PID:2708
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
          2⤵
            PID:1620
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2632
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
              3⤵
              • Modifies security service
              PID:2720
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2672
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
              3⤵
              • Modifies security service
              PID:2728
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C C:\0.
            2⤵
              PID:2440

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads