Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19/04/2024, 18:21

General

  • Target

    fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe

  • Size

    419KB

  • MD5

    fae5bc119748afb806e0434ee5383ced

  • SHA1

    20ccab4e26073dd84499aa4d5fda3956bb89aeea

  • SHA256

    2254eef7ac6a99a1fb5427c1f6b822968f9be32cb585812d757e0ae8c7c0ed15

  • SHA512

    2439e096ffa898a52cbb7b6f8240ddc7c453324ed66d001dd6298d845047ca378ea67ccb07a2cf42b1c9df81055f2e54763dfbe38f424c8f391b003d7699584c

  • SSDEEP

    6144:8/QiQP0jOQcZN2Wo0V4g060xXyVlcG40eAw38o85XOC8T/FUyKGpM9CITU/o:UQiG0jOl2WT4glcGpX98iR4o

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks for any installed AV software in registry 1 TTPs 2 IoCs
  • Script User-Agent 3 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Users\Admin\AppData\Local\Temp\is-JFRV0.tmp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-JFRV0.tmp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp" /SL5="$70120,139431,56832,C:\Users\Admin\AppData\Local\Temp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks for any installed AV software in registry
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-OQVGD.tmp\ex.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-OQVGD.tmp\av.txt

    Filesize

    24B

    MD5

    f8f8258012893e0a2c957d226bdd7587

    SHA1

    ed482b5f912ef2d31e2b231df6b6e3b64967390c

    SHA256

    c341965a331692b4f79eed856a7da98c550d74fdef27d1241893284f1b51c3d2

    SHA512

    6e563814e4347ffa1da1d4d26ab45430987d5224c22278e1ee41b207700eb263aaab1e69088a5eeb267fdd385f36a61c0c66415f5df0887162eefbcbec9d19d1

  • C:\Users\Admin\AppData\Local\Temp\is-OQVGD.tmp\ex.bat

    Filesize

    786B

    MD5

    7e453c870461413e456bd0fa99ceab39

    SHA1

    a6c8801e329203faf1ee15254959013caa1615d9

    SHA256

    44609a6d658ae60ed93016e64fe794f6ae6b0e3eabb1135f145453d5c92a5f06

    SHA512

    ba0654c68b91a1d44165dd68498244f36051dc659627e12b79eadb6ded16e3c41458eb4b8eb9c1d898878eccac3e2fd33763d48e63287374179e8b590b4ac2e8

  • \Users\Admin\AppData\Local\Temp\is-JFRV0.tmp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp

    Filesize

    694KB

    MD5

    86462bc76b244bac73ee6ffe47354be2

    SHA1

    c66462dc233887f86f9e05ee36086de4edfd99b6

    SHA256

    e3da91f01ffb504352b5e8237a5465d0f492a750a7c9a6cef22b3a5d08230fc9

    SHA512

    c0cbe3a39c2fd18e257500faacafd9fc8913221278e492b355acf64e6d97ff622a46a325a5c18cee5843a1660fda64dbc3172fac642de77ed12321085d67cb65

  • \Users\Admin\AppData\Local\Temp\is-OQVGD.tmp\_isetup\_shfoldr.dll

    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

  • \Users\Admin\AppData\Local\Temp\is-OQVGD.tmp\itdownload.dll

    Filesize

    202KB

    MD5

    d54c47b27c5a0f5f395f074af17b8a64

    SHA1

    3c37efec1578cbb864b43f416f71d06ec20daca1

    SHA256

    42223ecdb9e7ec04c97564f4c7e48041188ded79d6f9dfe87910483babcf58f1

    SHA512

    53e23fe72f7ebf79da84c32e514e20ee730481c6d79eb5432630321505673c8bc26c7040dfe6eb209ded1422efe89731b3a84c2ca610e801964aaa222539b697

  • memory/2008-1-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2008-31-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2216-8-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

  • memory/2216-17-0x00000000005C0000-0x00000000005FC000-memory.dmp

    Filesize

    240KB

  • memory/2216-34-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

  • memory/2216-33-0x00000000005C0000-0x00000000005FC000-memory.dmp

    Filesize

    240KB

  • memory/2216-32-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

  • memory/2892-24-0x0000000073B60000-0x000000007410B000-memory.dmp

    Filesize

    5.7MB

  • memory/2892-28-0x0000000073B60000-0x000000007410B000-memory.dmp

    Filesize

    5.7MB

  • memory/2892-27-0x00000000021E0000-0x0000000002220000-memory.dmp

    Filesize

    256KB

  • memory/2892-25-0x00000000021E0000-0x0000000002220000-memory.dmp

    Filesize

    256KB

  • memory/2892-26-0x00000000021E0000-0x0000000002220000-memory.dmp

    Filesize

    256KB

  • memory/2892-23-0x0000000073B60000-0x000000007410B000-memory.dmp

    Filesize

    5.7MB