Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18/04/2024, 19:40

General

  • Target

    f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe

  • Size

    10KB

  • MD5

    f8a154521bd546c4a2e9704f63def716

  • SHA1

    89c24d1f3043b5891a494b0e8b3f422642b0ac7e

  • SHA256

    a423193c571a7726f20bcd42e9c9658cbaaf36237ecbfb8b70ca00f2aea4d65d

  • SHA512

    d308a0b06695a1f0c92c1424bd5fa83dac8b242d2a8feced95607301f8cd73d4f75c2828ee61b97f7327a76a116ddd65b7d112efe622425e8f7ae70eed8400a7

  • SSDEEP

    192:m8sc7GOuYqBAo+0Q2kn+AhoXUgzaUGJDqhEGk5NLpoBYswx58b0UHW:m8f7GOuZljkn+A+aJDWEGUpsM5JYW

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1276
      • C:\Users\Admin\AppData\Local\Temp\f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe"
        2⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F8A154~1.EXE > nul
          3⤵
            PID:3016

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1276-5-0x00000000029E0000-0x00000000029E1000-memory.dmp

        Filesize

        4KB

      • memory/2128-0-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

      • memory/2128-4-0x00000000001B0000-0x00000000001B1000-memory.dmp

        Filesize

        4KB

      • memory/2128-6-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB