Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    25/06/2024, 22:48

General

  • Target

    0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe

  • Size

    373KB

  • MD5

    0fd05301d4b87cc8eae4cc8ffd8d15e3

  • SHA1

    0cbec9b4144130e9f465b7a07264d5c1f302d746

  • SHA256

    fbda5336296fffe1cf43187446f42172ab2b85b3902d114e85b3899a113b53c4

  • SHA512

    3e0713e3529ffb0db12c71d13c6edc0da7b2085ccfcda56bb1ad41410ea709d9339a867be13449519a2974290bbe0b713eca0c773119fb68977feb38a18b9749

  • SSDEEP

    6144:s7Rnj2nSMWVxhTFZOvTxMTD95co+l8R4Lp0c6PF9vNAX6hYXpWfuhs:WnaWH92vTWXo0c8ZGXwypWfue

Score
8/10

Malware Config

Signatures

  • Server Software Component: Terminal Services DLL 1 TTPs 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Windows\aNwyrSsfMqehVVISiA1j.exe
      "C:\Windows\aNwyrSsfMqehVVISiA1j.exe"
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      PID:1960
    • C:\Windows\Z4wy2ZyrMJfQflIPpSF8.exe
      "C:\Windows\Z4wy2ZyrMJfQflIPpSF8.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2524
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k jokcpm
    1⤵
    • Server Software Component: Terminal Services DLL
    • Loads dropped DLL
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Z4wy2ZyrMJfQflIPpSF8.exe

    Filesize

    213KB

    MD5

    3fc4d8faa7e83d5a1c70cfcd764c736c

    SHA1

    de4cef272a231271c088dd7faace32c0ad05d978

    SHA256

    e0c8388f1a2521389bd7db5a672f603eee7027ded0d576b10808b99bcb1112e9

    SHA512

    943adad8e4d7717455a73e420777760c7796fff3c9b65a81f17f5f9421dfbb95203d34fbf57a7ed3d01a1f1d3e3d48e3865702e98708975eb1f6124f70e3a7b0

  • C:\Windows\aNwyrSsfMqehVVISiA1j.exe

    Filesize

    51KB

    MD5

    17fa82152d9d45f7be6023fe443d82b3

    SHA1

    923894133badbba384014b7b4ef7c2481d4df6d5

    SHA256

    0fa0aa37e710fb9d106f34bcf07c0d636aea0c7dd59b81693e6aa185e0604700

    SHA512

    b8ca7a3aeb0ec2cfd421adf6e84c545e5db5c0df52436cb57e14851a4d033121197465ccaeff78d12540170407697695c9a6a470e99da088e7fa8375db9bb8c5

  • \Windows\SysWOW64\jokcpm.dll

    Filesize

    76KB

    MD5

    c5c4522abdc1cbba6ae6a81a1f7a6912

    SHA1

    22d0452fa0ac9cdb14e981d8c1425305237c7709

    SHA256

    264bdf205174754a78a7033fbfef8612366ba6fd995f980c926aeb83b4db97a8

    SHA512

    f29edffb897c53ec7b53a63f8eb32d2b1e2931a21cc254937ed775dfccf28522023d8acecc39fdf3b4c3c34f174131a2c3640c3dfc403d51540128fe71942eab

  • memory/2140-14-0x0000000002CF0000-0x0000000002D69000-memory.dmp

    Filesize

    484KB

  • memory/2140-24-0x0000000002CF0000-0x0000000002D69000-memory.dmp

    Filesize

    484KB

  • memory/2524-17-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2524-23-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB