Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
19/04/2024, 10:30
General
-
Target
fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
fa1af9f89f182ceaf85cdc39a9bb55b9
-
SHA1
b66a479eaeaf45be1b5bb52968550724d0ef0934
-
SHA256
f58bb7ef51d62cbca14778caffadd854dad7a1a5682cc2016f775310b0464058
-
SHA512
7fbf3ea63ef918abce0806512872f8608e9771c5069eade5246623434ed1489f9ae3c1b6c7cf7bb8f5f75f8bb3c5600d5fb4a6d07c38806e6d6e114ecc8c0a7f
-
SSDEEP
49152:4WFVbrhPYRE7ri2iqfRIIJyiCpVPG/NBOf/WbsWa:xFVbryO7r/fRhIiQVw8/WbsWa
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Looks for VMWare services registry key. 1 TTPs 1 IoCs
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file 4 IoCs
Detects executables packed with VMProtect commercial packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VMWare services registry key.
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD5e3b51669c995d4f1a321ac84ed1064d0
SHA19f20bf6fa1f3124abb240e77bfbcea583d67c117
SHA256a55e21fe509b0db3d51c6f7faa73c1d06b7d60eaa696e12ef38d5b82c37fd60d
SHA5128eb05f3800e3da4d1f9e2b447f4e9e3210ef49fe25cf23b0b33371197459704f4bb6bd1fa0dae1e252eb05c363e85c49010f5ad03165a0aff9ce8fcada7335ec
-
Filesize
264KB
MD5b1ac011d37b343798899e3780d08ab49
SHA1d58b91d255d3b29e6ca016b59b7a6df38ff825cc
SHA256cc461087c558da2fae0895ad86e7ba46f0734af0cc42c38615f0e9e3fadb4b1b
SHA512ce0a0ab52b8735f2e40f1f8e4d5babaf624b9c0654885d485fc320228f25f30ce43cf779743bcae7536505feaa700b6e59254b09d15a0bb27267b33a0d35189a
-
Filesize
4.2MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4.2MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
232KB
-
Filesize
4.2MB
-
Filesize
480KB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB