Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    04/05/2024, 10:16

General

  • Target

    1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe

  • Size

    11.0MB

  • MD5

    1245085f62bf86866aabda07b1571e66

  • SHA1

    fd38a9466f2bccfd4dd4f369f8193dad7e98600a

  • SHA256

    d7520ea2598f8f4c8e00c07b649c195aa811d47a471c47a971c692988180e892

  • SHA512

    5a3aa6bbac27f596f58fee6f218f418bcb57f660721553199381d79b4fc863fab49a71a5ae3ec39264ed83f86bccda7bc1a41d7d61a52c547428ff2cb12d38d1

  • SSDEEP

    196608:f9Grhc9G2hohbUyJanVj9taZeUFtpW6u7HSbZqktxr0zQc2wxUiBebgOvjl:FGrhyG2hohQyJiXtattpW6ubSbYkt5OE

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Modifies system certificate store
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3028
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 57D08CE98954DC5E8ADF7443DD99A7C0 C
      2⤵
      • Loads dropped DLL
      PID:3008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Atlassian\SourceTree 1.6.15\install\SourceTreeSetup_1.6.15.msi

    Filesize

    886KB

    MD5

    16833d30bb20361ee3a177e99ee63e88

    SHA1

    420142ca317d757f8eb2e5cf09e57544d31474f6

    SHA256

    18ec1de7a8191de24151d6517def4a45817e339b1cf485065abc0303073f00ba

    SHA512

    753f08053f3c379c656ef0019ca5943d376b38e54c1ec5c24373ae7af6d677dc9a405e3b54ed14f656b2afc4a1ed48dd9a6dadea6f321f5c092ae3326bb74579

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

  • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3028\STSetup_dialog.jpg

    Filesize

    14KB

    MD5

    3f4243fd51a3d9dbaf81f4fc712a67ea

    SHA1

    f0e86f29b54379810b40b61829fc20e674913eee

    SHA256

    c60da07a8edc7d37234b1a7e6af21d88ef5302bdf8c33bd45cff6b15b0599ff5

    SHA512

    2984e977fedaead6b164bfd77affa4607be22fa585dd1f8534d7f2548edc7efb0906cb40280b7f22f9a1688c2ed88c71c3a216b25c532589e330cb8cf5ee9222

  • C:\Users\Admin\AppData\Local\Temp\MSI27C2.tmp

    Filesize

    91KB

    MD5

    e82cfcfc5b1e271bb0ea368ee0697cc7

    SHA1

    d8904f05ae4447b6bbb23466d73186abc5ff4db0

    SHA256

    adee901de613487edd9c80d199340875bd1faed7b999eee452e6b136865bca28

    SHA512

    964738a62a85ef52e8cd16c54bfe85a8e24f614c26d4809ddc153276b2012de475e3011c98f59f5dd37e60f0f9e9da4c8b1df5c2c34224a9dc1bf714febd040c

  • C:\Users\Admin\AppData\Local\Temp\MSI2850.tmp

    Filesize

    297KB

    MD5

    510f289eef8c9f856466e58796553029

    SHA1

    a1a7a7b96fa2b087b2e2152bffd0a84557b807e1

    SHA256

    cf8d8ad4abe18a60292083867749793ea40d274664abd49d3acf2ba9a305e7a0

    SHA512

    e66292583d165e68bb02a6fca55041d1079a5b18805ac357d749f4cc6f9a9cd2456866366b3d2dd297695db858c572789e6a73654d73a73caae047efc4b4fcf6

  • memory/3028-0-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

  • memory/3028-97-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB