Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/04/2024, 08:52

General

  • Target

    04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe

  • Size

    92KB

  • MD5

    04d1391971c911a6e9e33780fc6fea34

  • SHA1

    f43a1618ffbd8c5cbf550af0697785e2d09c4156

  • SHA256

    e4dfe909e51a9b9724dbe4c2ddb4c5b92fc59bcd83e8d8955c4a997227edf80c

  • SHA512

    65bd6324acdaad4d19e234afcde7049d0352493b06edd639848e800242ed466807bb24f505ff4f712cdb2b6ad37b21b0f699015a098584da3acce34b789ecfd9

  • SSDEEP

    1536:veIAxtMMjEJzW2r27usjy3RwrhUc+bEjyuPu6kLaL746F+ZZnvHumdHE:XAxtrYBW2wfjy3RwdZ+E

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\7380.vbs"
      2⤵
      • Deletes itself
      PID:2896
  • C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe
    "C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe
      "C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe" Win7
      2⤵
      • Executes dropped EXE
      PID:1324
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 228
      2⤵
      • Loads dropped DLL
      • Program crash
      PID:2424

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\7380.vbs

    Filesize

    500B

    MD5

    782aabe9e7bf63a2be014e3d077420f6

    SHA1

    8f6119e94496de6ecc7c23649575e6e730f8bde3

    SHA256

    3ce58f41ca21d6c06a84546edd4e8e4ff57868b7df445569a81518648f3278c8

    SHA512

    cb8ae4caa417216156353dc375f8f217637277c4a1cc19f0f5d2de1bd1b91bc4433a35f16de2fef3a4fb3ca6928200b051ec5d42afe9a16e700d501ee42d82b6

  • C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe

    Filesize

    92KB

    MD5

    04d1391971c911a6e9e33780fc6fea34

    SHA1

    f43a1618ffbd8c5cbf550af0697785e2d09c4156

    SHA256

    e4dfe909e51a9b9724dbe4c2ddb4c5b92fc59bcd83e8d8955c4a997227edf80c

    SHA512

    65bd6324acdaad4d19e234afcde7049d0352493b06edd639848e800242ed466807bb24f505ff4f712cdb2b6ad37b21b0f699015a098584da3acce34b789ecfd9