Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    27/06/2024, 08:56

General

  • Target

    15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe

  • Size

    85KB

  • MD5

    15664ff00b7a6496d48d633b7812ab94

  • SHA1

    cb3ebedbe023ca5884d552f67d9a3f409b0fdc50

  • SHA256

    4f7bab60cdd8b4623e470eaa8bfebfd840e069c834a953025b49289d7277a071

  • SHA512

    680771d2017e8f7118c46d679bf8ea65241855d2e8c7e40dce3c2740d90d03704b0e937ee05e51819788d5662eb26c7830fc490f65bac6c51fc7a8a1afa3e7a3

  • SSDEEP

    1536:CAi7V6+EZFCttj4E56r+Ov4DVwMXZ7sRIMrHWTaWr7UlTn5YjYpeeO6T:CAi7U1kuE5yXEDPa27UnYspFv

Score
8/10

Malware Config

Signatures

  • Server Software Component: Terminal Services DLL 1 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Program Files\%Program Files%\laass.exe
      "C:\Program Files\%Program Files%\laass.exe" uninstall.lnk main
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2700
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" uninstall.lnk main
      2⤵
      • Server Software Component: Terminal Services DLL
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2720
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\15664F~1.EXE > nul & rd c:\%Progr~1 > nul
      2⤵
      • Deletes itself
      PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\%Program Files%\laass.exe

    Filesize

    9KB

    MD5

    359c541c07a39ab11bb45aad29b2d2ce

    SHA1

    3c4f277f184ae306a4d0efe1bcb9e03ecabbb9b7

    SHA256

    6e2378348ebebf5b301744fedb0be396ef4e7e92ad94877da79eed9eb46850d5

    SHA512

    768050272dd4875a4c2a6a96f6337334c05d1512dfc0cc9ceee883a7c701de5e2e90872a6f9029de5b528b74c07cb8aa61c10f9f9e834f8021e9759136fcfbff

  • \??\c:\ntldr.sys

    Filesize

    88B

    MD5

    a78667573d9a9ceb25a0d4e1a7a2db8b

    SHA1

    9a4a9cf44d39df2a24f86fc332cb3782eef8876d

    SHA256

    49a93525279882890cb85cb794dfebd8fdc1f10fe0127d016ff1fc864a65167a

    SHA512

    67276d58e5e98e5cfc1853a4b405390f8d9cad8171dc75b99878a8d5e7ddfbef7694fa5be5e50b733b0986301fef6a73171fef2c7b63d2473ba4a2dc105a5d18

  • memory/2164-8-0x0000000000401000-0x00000000012E5000-memory.dmp

    Filesize

    14.9MB

  • memory/2164-0-0x0000000000400000-0x00000000012FA123-memory.dmp

    Filesize

    15.0MB

  • memory/2164-21-0x0000000000400000-0x00000000012FA123-memory.dmp

    Filesize

    15.0MB

  • memory/2164-26-0x0000000000401000-0x00000000012E5000-memory.dmp

    Filesize

    14.9MB

  • memory/2720-24-0x0000000010000000-0x0000000010027000-memory.dmp

    Filesize

    156KB