Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20/04/2024, 17:07

General

  • Target

    fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe

  • Size

    786KB

  • MD5

    fd37932be7cadd7b8295e8540a543802

  • SHA1

    10962017f617ca840f96a386663d99b1e86d996f

  • SHA256

    fd735f45bb33b4ff724a71528c1833ba3fbc1327081349db0e4a0378213073df

  • SHA512

    c1634ae47dc8151ca5ba47f3075daadedc783ca358fadba9b02d9697f155734681a80b73aca871ff4455b48d8f6872431ced8bb56e67ff10b9ae6ea5df0efb3f

  • SSDEEP

    24576:u+YENwEP5EcmsU8PU6IqHHyMWVdV1FBXPKfa:vNwER08P3IISMW7DXPK

Score
8/10

Malware Config

Signatures

  • Looks for VMWare drivers on disk 2 TTPs 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 8 IoCs
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe"
    1⤵
    • Looks for VMWare drivers on disk
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Maps connected drives based on registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe"
      2⤵
        PID:2604
      • C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe"
        2⤵
          PID:2712
        • C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe
          ?
          2⤵
            PID:2624

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Local\Temp\~DCTMP26641.tmp

          Filesize

          4KB

          MD5

          d02bc5e49dcbdeb20edda49f984c4ece

          SHA1

          533469beb0c49e364e277a29eb80a8207ddd164c

          SHA256

          0daa40b9b6da489521e3d919e024984c826c4c49caf3a21cc77178651b0dfbf9

          SHA512

          55233a019c291bb991aaf7e90826518f8d60bc423d85b4f18bc4b7f583f8832e4c1a5a5530843532860a7c2cd7d96bfcf3091e126d0996ade35ab93c39d6125a

        • memory/2624-35-0x0000000000400000-0x0000000000450000-memory.dmp

          Filesize

          320KB

        • memory/2624-30-0x0000000000400000-0x0000000000450000-memory.dmp

          Filesize

          320KB

        • memory/2624-39-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

          Filesize

          4KB

        • memory/2624-43-0x0000000000400000-0x0000000000450000-memory.dmp

          Filesize

          320KB

        • memory/2624-27-0x0000000000400000-0x0000000000450000-memory.dmp

          Filesize

          320KB

        • memory/2712-53-0x0000000000400000-0x0000000000592000-memory.dmp

          Filesize

          1.6MB

        • memory/2904-40-0x0000000004140000-0x0000000004141000-memory.dmp

          Filesize

          4KB

        • memory/2904-52-0x0000000004170000-0x0000000004302000-memory.dmp

          Filesize

          1.6MB

        • memory/2904-31-0x0000000004110000-0x0000000004111000-memory.dmp

          Filesize

          4KB

        • memory/2904-29-0x0000000001F60000-0x0000000001F61000-memory.dmp

          Filesize

          4KB

        • memory/2904-36-0x00000000040C0000-0x00000000040C1000-memory.dmp

          Filesize

          4KB

        • memory/2904-0-0x0000000000400000-0x0000000000592000-memory.dmp

          Filesize

          1.6MB

        • memory/2904-42-0x0000000004150000-0x0000000004151000-memory.dmp

          Filesize

          4KB

        • memory/2904-44-0x00000000040A0000-0x00000000040A1000-memory.dmp

          Filesize

          4KB

        • memory/2904-26-0x00000000040D0000-0x00000000040D1000-memory.dmp

          Filesize

          4KB

        • memory/2904-32-0x00000000040F0000-0x00000000040F1000-memory.dmp

          Filesize

          4KB

        • memory/2904-50-0x0000000000400000-0x0000000000592000-memory.dmp

          Filesize

          1.6MB

        • memory/2904-49-0x00000000040B0000-0x00000000040B1000-memory.dmp

          Filesize

          4KB

        • memory/2904-3-0x0000000004120000-0x0000000004121000-memory.dmp

          Filesize

          4KB

        • memory/2904-6-0x00000000040E0000-0x00000000040E2000-memory.dmp

          Filesize

          8KB

        • memory/2904-38-0x0000000004130000-0x0000000004131000-memory.dmp

          Filesize

          4KB

        • memory/2904-34-0x0000000004100000-0x0000000004101000-memory.dmp

          Filesize

          4KB

        • memory/2904-2-0x0000000000400000-0x0000000000592000-memory.dmp

          Filesize

          1.6MB