Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    26/06/2024, 23:12

General

  • Target

    13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe

  • Size

    24KB

  • MD5

    13d63bb9e821f16c95202cd163df8765

  • SHA1

    26138ce2c9b51abb55cd0065ae22a249efed2174

  • SHA256

    222f99403e5829527d4a8becbed06d7f746ecd0bf5f247132b4f9ffcdaecc98a

  • SHA512

    bc83daa54c10eff6b90723c744e7d42732d000128c17112d5262f6a1653f4ceb8f10acf883e2fc93b0c6d9f592d7d73874be0860037c54e6af263c0ec34db911

  • SSDEEP

    384:s/4e8zdTyBsyqAIZhgdwbkzZtEng/E5HdRtw7UionvbPrammRKapF+YXg1wmvvvJ:bWsyqAgge0ZKng/iR9d7raHUaxswoR

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Windows\ini\ini.exe
      C:\Windows\ini\ini.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1888
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\13D63B~1.EXE > nul
      2⤵
      • Deletes itself
      PID:2520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    904B

    MD5

    fddf3a7b7372d7b7c0aa2eae2cb582a6

    SHA1

    492f336df8c1a3467b38978955f1ad5ae03a65fd

    SHA256

    5de04384652accddd8e528fbf05453443031b47e23e12a5e219893497cb7a61a

    SHA512

    20ec9393053a3ab47a11ee0c3dcea771fdf7544525f6e89c08bc7b2ac744d8a10265512001377e6520e656f5afa4582fbb9f6616d2e32efdb7173fc255e02c0f

  • C:\Windows\ini\shit.vbs

    Filesize

    93B

    MD5

    029cb6e8dd46b0bac89f075426176148

    SHA1

    ac38c1a3e3db05376f191d161500d74251c9e493

    SHA256

    638734859db449bb4597a1f3fff81fbf9c9ba9158fc232bfd0ba5f69eab67ef0

    SHA512

    f74516b98862b508d1714f9757ed22bd76248626ea1eb665f8a3141438c156bb218598adbd089f63c3cf80336e986a5afc2234f18839a8e807ca5c616af29d2b

  • C:\Windows\ini\wsock32.dll

    Filesize

    17KB

    MD5

    62d674465aeb6cb32700fba27c5745d5

    SHA1

    ccecf6d66b50643ef70d5c25e0c6814fc55df425

    SHA256

    eea1e1b309f1f7beaf829fa636e2ca15bb9b02c3764c3432721cefbdde3741e5

    SHA512

    5e4e14c85f5f5933e924b0f8186af09356b387d835a04c31cabed881ddaa28d4607937f7474956bd16d5659565f2b00caa1e2d23524e771a48360046e2517a40

  • \Windows\ini\ini.exe

    Filesize

    24KB

    MD5

    0207a4d69009e38edc0cbeb1e794034d

    SHA1

    c233336c76ff7a561534dd2f593fb360e860c554

    SHA256

    ad33c9ead99c1ac700060d403f2a9a2435837ec54d087d8b9a837144759e842c

    SHA512

    5228b7d501e21cf301922fc4aa579b259d29945db1e1a52b632ed1a10288da39e582cb256d6df287573b1cc70f3d6b9b02bef41dce09c52cdc06594b4458e17e

  • memory/840-0-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/840-4-0x00000000003A0000-0x00000000003B0000-memory.dmp

    Filesize

    64KB

  • memory/840-10-0x00000000003A0000-0x00000000003B0000-memory.dmp

    Filesize

    64KB

  • memory/840-19-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/1888-11-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/1888-97-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB