Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    11/05/2024, 11:26

General

  • Target

    345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe

  • Size

    967KB

  • MD5

    345afdeff01a318bae48ef80ec680227

  • SHA1

    1388f456fabffe068de6e39429afee0a0b4c9c72

  • SHA256

    58cb93ebbf4fb0ccfa194ba814b45eb4413d9122a911806ca799494a7746b971

  • SHA512

    2a7a4fe80de99462dbad49a087536dd93fd1904fd1ea47f2da711c006ac39b37ca91014a9067e8bc5c63d8b89028ab3e640b0acbec24bdabde83b3d861e21758

  • SSDEEP

    24576:ztXCT35bEN60Yc/rMegvH6RK1aeGokgwHv:zKBtV6MjvH6RIrDCv

Score
4/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Local\Temp\nsd123B.tmp\internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\nsd123B.tmp\internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsd123B.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsd123B.tmp/fallbackfiles/'
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9105.bat" "C:\Users\Admin\AppData\Local\Temp\D76DACEAE6134388904C531847B4EA93\""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2448
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 1 -w 1000
          4⤵
          • Runs ping.exe
          PID:1652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9105.bat

    Filesize

    214B

    MD5

    739fcc7ba42b209fe44bea47e7a8c48f

    SHA1

    bc7a448a7c018133edcf012bc94301623eb42c5b

    SHA256

    69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

    SHA512

    2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

  • C:\Users\Admin\AppData\Local\Temp\D76DACEAE6134388904C531847B4EA93\D76DACEAE6134388904C531847B4EA93_LogFile.txt

    Filesize

    9KB

    MD5

    a53d2bcd04a648af9e16c4ba860a32df

    SHA1

    5ae79c536c3e1e96eef960fa47d65092a6fa29f4

    SHA256

    7ec4c3368fb3c3921b42a3a0245f6612892702c0babcdd1ac3471d2985b82c97

    SHA512

    3ce1ded8435f66ab0e78d7dd89bb1532571fd18b7c5621f59ef7074ace98732d47ae5f535af2e48c3dbd8d1432b1c6ee7e460f1a18bafc3221fe8d0d513b7724

  • C:\Users\Admin\AppData\Local\Temp\D76DACEAE6134388904C531847B4EA93\D76DAC~1.TXT

    Filesize

    103KB

    MD5

    d739fe4a044870c8457cc7df27b8293a

    SHA1

    e90fd4c9f230100f40e59baf1762f2decefd2da5

    SHA256

    9348073b0bc758adfc383c29efbc46c112dbcba1d0a0525e6739ee6cec01f6d6

    SHA512

    e5d285ea312c623c32b993f8656e7e3732d5dea3e0dbcf65ce5040bd0edf8a949e63d13fe609953aa588591b05580758cfc872d16eb62029c2939886df2c739f

  • C:\Users\Admin\AppData\Local\Temp\nsd123B.tmp\internal345afdeff01a318bae48ef80ec680227_JaffaCakes118_icon.ico

    Filesize

    11KB

    MD5

    592abe695d3fb84c8a7589b0d2553a97

    SHA1

    d70d6de6fa25ca1924bd02b84075ee94f3870133

    SHA256

    ed59d25e5daf4e4c89c09a4c829ac4d12f1b0e258d167760a07bce6266cebda0

    SHA512

    a8c09f8f35790a0bcf4b69ffa7f26eb60b8e14394ecef6a63c1776e538eb749251545dda48f6a7243c91d9779d24b4d774b39dbd966d32e5fa39071fff9a0978

  • C:\Users\Admin\AppData\Local\Temp\nsd123B.tmp\internal345afdeff01a318bae48ef80ec680227_JaffaCakes118_splash.png

    Filesize

    136KB

    MD5

    0a8589de904eec91522c276d896216c4

    SHA1

    58ba5e9158c3afa3c3112fe1e24567996794c07e

    SHA256

    496d42e72d7c57969f584849a8f7366783afd39862f7f71b59d78b723225cd55

    SHA512

    bea912ebc889e6444532beacbe562038b78c918dff9bfa16d7d9a15e25f52ce90e93a6736636926ef7d45e65eb8f73da92149e3188cf5a4b78a8d248b3b0d9fd

  • \Users\Admin\AppData\Local\Temp\nsd123B.tmp\internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe

    Filesize

    1.8MB

    MD5

    77bfacca17ee1d89833b57f3a746d9a0

    SHA1

    aa9490c913489c5eafd02f67f875efcb56d23036

    SHA256

    38571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52

    SHA512

    21ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f

  • memory/2940-72-0x00000000006A0000-0x00000000006A1000-memory.dmp

    Filesize

    4KB

  • memory/2940-180-0x00000000006A0000-0x00000000006A1000-memory.dmp

    Filesize

    4KB

  • memory/3048-116-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/3048-257-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB