Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    25/06/2024, 14:24

General

  • Target

    0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe

  • Size

    407KB

  • MD5

    0e678cc7200d5237b10aed249321fde1

  • SHA1

    3652ab54bd034fdc49bcfd5f5ecdc65ec0c4c127

  • SHA256

    c4ddc309d779a97ee858a7a2d51b00d1b4e6520936ba286ce5d9df95568788ea

  • SHA512

    fa448066c5cf2f153c23b2ac955d69d673b64a94c90cbc2f4433b0b47cacbde70d3d8ba9d9214f016cb13e5ebd0b91ef6c7faa49b2ba30b4f5aad7c7c446a78b

  • SSDEEP

    12288:ug0Cq6x4aIhpJIew5rzWZfb6YkOVYGXKmRjVNW:uyfsJezoxkOVim

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:616
    • C:\ProgramData\bG20302KnHeE20302\bG20302KnHeE20302.exe
      "C:\ProgramData\bG20302KnHeE20302\bG20302KnHeE20302.exe" "C:\Users\Admin\AppData\Local\Temp\0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:1532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\bG20302KnHeE20302\bG20302KnHeE20302

    Filesize

    208B

    MD5

    2bbc0afc468ef985ee861b9af300f4d5

    SHA1

    f08fc4d7e6daf7b2c51b7fee199e3582a19dbffc

    SHA256

    18cd868dee81ff4b25014c2902cb871abcf2c8d57f7192ed0eec831f497034be

    SHA512

    c19662cc9d7cf5a124ab8df3c9900ae59c621e533b1b56a75060acf64b229326787a883a12a67f52a9f2498c224af51e37d17113d8c79a30030d75b1a3860888

  • \ProgramData\bG20302KnHeE20302\bG20302KnHeE20302.exe

    Filesize

    407KB

    MD5

    d50d8cad282b9ee92221b52ade6f802d

    SHA1

    e2725d8a983999328f78e3fa4c870bb1a8503cc8

    SHA256

    286163a2c99144bcb32789ae40bfd54e05fe74f1faa4e8b2e7d595710b707e22

    SHA512

    32352f94f03127457803f7d2961fa535e0d5500300dc5f06950e18db60ea7d71113434a3c8724cfd2e00508653808717b8ca33bb44fddc2ecd07d46d65ea2deb

  • memory/616-0-0x0000000000250000-0x0000000000253000-memory.dmp

    Filesize

    12KB

  • memory/616-1-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/616-7-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

  • memory/616-80-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/616-101-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/1532-103-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/1532-104-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB