Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22/05/2024, 04:16

General

  • Target

    65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe

  • Size

    845KB

  • MD5

    65f873803715af67ab51efb7075e74d5

  • SHA1

    790ea6a1aee8298e22269289fb79d14ed02eb70a

  • SHA256

    aad27f03a8b72e681b40032af20599750a885271e488d6ac2e9d6397a1866e76

  • SHA512

    15bba408b24721ae8ce25236579949b9ad4408f9bc7372a0316ae326980fb9e65cc991723ad2089a39ca04021defe9e4e6531e3151a4ff19868c770d5d7971c0

  • SSDEEP

    12288:9tobaPum+c5G1QbnnoOouabkxacfurIL+7GuDiSHe8tHtxi79nIs6ZRI9ZO+7bX3:9tV/noOOkxansCaM+8jxitIHshb0e

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Users\Admin\AppData\Local\Temp\nst8FD3.tmp\internal65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\nst8FD3.tmp\internal65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nst8FD3.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nst8FD3.tmp/fallbackfiles/'
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\25477.bat" "C:\Users\Admin\AppData\Local\Temp\01C85A62D7C440B2BF4A9352FE5E23DA\""
        3⤵
          PID:2868

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\01C85A62D7C440B2BF4A9352FE5E23DA\01C85A62D7C440B2BF4A9352FE5E23DA_LogFile.txt

      Filesize

      5KB

      MD5

      f9c8416868d9c7f37ba57c443bfcb68b

      SHA1

      e4f6cf47ad30575afb17c9dde2bc38a674bacbd9

      SHA256

      50ff2a233d9fe9e67f61b324766d750eef693e40c2cdc9102e65a9b991d19ec8

      SHA512

      b1694bbe7de50b4ebbfc6329fd4a19a6f63e9acc5af54b8f6ae4b187bce42c281274803c1cc6a7f38358b24fe2d163a5dc26c5c89fcf69d3c961c7f02aa183bf

    • C:\Users\Admin\AppData\Local\Temp\01C85A62D7C440B2BF4A9352FE5E23DA\01C85A~1.TXT

      Filesize

      123KB

      MD5

      bff1b44173ff39f81113bd5dd31034aa

      SHA1

      966a5c1287edefcc33af979cf1339678bb0ea8bf

      SHA256

      ae40d6bb69c9a791dec8dc5160de1523b78e3fe49a1d0fe7af042111cc5f4f58

      SHA512

      37983dee6290680bf7d83060079a655f85cefd2eda083f69e11a43f8e50c1954bb92e8e6fddf9e02048317bcc90ec6aea9b048741a168437f336065a5fb81fba

    • C:\Users\Admin\AppData\Local\Temp\25477.bat

      Filesize

      214B

      MD5

      739fcc7ba42b209fe44bea47e7a8c48f

      SHA1

      bc7a448a7c018133edcf012bc94301623eb42c5b

      SHA256

      69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

      SHA512

      2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

    • C:\Users\Admin\AppData\Local\Temp\nst8FD3.tmp\internal65f873803715af67ab51efb7075e74d5_JaffaCakes118_icon.ico

      Filesize

      31KB

      MD5

      e8325fb708961346591707c20ac048e4

      SHA1

      7950b4974f4445c335171fc17519605aa7389e25

      SHA256

      21d70c2d38bf043c666500e82a04551a3c901be00574eb6b3a91dfd9f709fb0e

      SHA512

      d7ec307074989a98f9f2e6ef94e8a94270477c286d715671058c58ab7ebef438ac9aaac8b01fcf1aed0e34101ecf29370e4c54a9b7e5a91743cb60bcc2bc5c62

    • C:\Users\Admin\AppData\Local\Temp\nst8FD3.tmp\internal65f873803715af67ab51efb7075e74d5_JaffaCakes118_splash.png

      Filesize

      19KB

      MD5

      d2659ae09f928fad3e819ccb6c7befef

      SHA1

      68e4e1dbdc3b9c3fe186c4ce11ddbacbf73de3d4

      SHA256

      4612e26da813cdad1b284bc1d03a5dc06b7f76b0e42b6dcaa14e620d9f4d2c6c

      SHA512

      40eba3ea02f7837041048a7d5f104799f037ae0371f36ec914f27a572fdce32826bde02ced60d7190e3bd8a9a29126121740b38350fc884567f3fc1e43be1ad5

    • \Users\Admin\AppData\Local\Temp\nst8FD3.tmp\internal65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe

      Filesize

      1.8MB

      MD5

      799caa8125d22c36004c2a67fcacffa4

      SHA1

      eadd26fa7f4b437d3e9fdd24f937ca2e8a212654

      SHA256

      29745a486c04a8a2766814c5e0fb752a8dbc7b384a63e398d7262b315a8d49b5

      SHA512

      7c5d7dc18bf735bd4bf4452c850cc6fb4d3c98d9aa32a9873a4ca43349b6622b599452ee3b71ca07298e2d5aba58ece92815e74574ca1b56abaf7e99ebb4f8c2

    • memory/1440-116-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1440-292-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2116-70-0x00000000009C0000-0x00000000009C1000-memory.dmp

      Filesize

      4KB

    • memory/2116-193-0x00000000009C0000-0x00000000009C1000-memory.dmp

      Filesize

      4KB