Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27/05/2024, 16:21

General

  • Target

    79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe

  • Size

    312KB

  • MD5

    79b891f80896a36e29cb4ed8599cacf6

  • SHA1

    2b238ea58a1c54ab4d8531a9b1e6c3c56e554f7b

  • SHA256

    1a2079f29f4de929d34127d64e682db7ea6bfdb7b55831dd4be511a024d6e237

  • SHA512

    baf68e46948abb51e59fc1867e20398b9617729a60b02883301898c5344130f107676471bf03d1e63cf0050e03d8401ae632f4500d87a15588501245692c0236

  • SSDEEP

    6144:Qdr14UChnrsy/Ay4aUi8YRBfkvtmFW/OZM9+1+gWQbHyuG9peWx5Xyy7XcW3bROJ:OyUChnrsy/Ay4aUi8YRVkvtmFW/OZM9m

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • Disables RegEdit via registry modification 3 IoCs
  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Windows directory 12 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 40 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Windows\SysWOW64\net.exe
        net share "phim_hai_hay=C:\Documents and Settings\Temp"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"
          4⤵
            PID:2704
      • C:\WINDOWS\h2s.exe
        C:\WINDOWS\h2s.exe
        2⤵
        • Modifies WinLogon for persistence
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2988
        • C:\Windows\SysWOW64\cmd.exe
          cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2640
          • C:\Windows\SysWOW64\net.exe
            net share "phim_hai_hay=C:\Documents and Settings\Temp"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2836
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"
              5⤵
                PID:2312
          • C:\WINDOWS\nacl.exe
            C:\WINDOWS\nacl.exe
            3⤵
            • Modifies WinLogon for persistence
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:1304
            • C:\Windows\SysWOW64\cmd.exe
              cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
              4⤵
                PID:2300
            • C:\WINDOWS\system\lsass.exe
              C:\WINDOWS\system\lsass.exe
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:2520
              • C:\Windows\SysWOW64\cmd.exe
                cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
                4⤵
                  PID:2112
            • C:\WINDOWS\system\lsass.exe
              C:\WINDOWS\system\lsass.exe
              2⤵
              • Modifies WinLogon for persistence
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2576
              • C:\Windows\SysWOW64\cmd.exe
                cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2452
                • C:\Windows\SysWOW64\net.exe
                  net share "phim_hai_hay=C:\Documents and Settings\Temp"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2588
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"
                    5⤵
                      PID:876
              • C:\Windows\SysWOW64\explorer.exe
                explorer 79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118
                2⤵
                  PID:2624
                • C:\WINDOWS\h2s.exe
                  C:\WINDOWS\h2s.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:1092
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2924
                    • C:\Windows\SysWOW64\net.exe
                      net share "phim_hai_hay=C:\Documents and Settings\Temp"
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2920
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"
                        5⤵
                          PID:1376
                  • C:\WINDOWS\system\lsass.exe
                    C:\WINDOWS\system\lsass.exe
                    2⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:2412
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
                      3⤵
                        PID:2232
                        • C:\Windows\SysWOW64\net.exe
                          net share "phim_hai_hay=C:\Documents and Settings\Temp"
                          4⤵
                            PID:2676
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"
                              5⤵
                                PID:288
                      • C:\Windows\explorer.exe
                        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                        1⤵
                        • Modifies Internet Explorer settings
                        • Modifies registry class
                        PID:1644

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\WINDOWS\system32\drivers\etc\hosts

                        Filesize

                        578B

                        MD5

                        4cedd41692993cf5a0a40baeb724b871

                        SHA1

                        fc1eeb1d88966ea4a816bcbdab320830b6f70261

                        SHA256

                        fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695

                        SHA512

                        e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862

                      • C:\Windows\system\lsass.exe

                        Filesize

                        312KB

                        MD5

                        79b891f80896a36e29cb4ed8599cacf6

                        SHA1

                        2b238ea58a1c54ab4d8531a9b1e6c3c56e554f7b

                        SHA256

                        1a2079f29f4de929d34127d64e682db7ea6bfdb7b55831dd4be511a024d6e237

                        SHA512

                        baf68e46948abb51e59fc1867e20398b9617729a60b02883301898c5344130f107676471bf03d1e63cf0050e03d8401ae632f4500d87a15588501245692c0236

                      • memory/1644-67-0x0000000003D10000-0x0000000003D20000-memory.dmp

                        Filesize

                        64KB

                      • memory/3000-0-0x0000000000400000-0x000000000044F000-memory.dmp

                        Filesize

                        316KB