Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    27/06/2024, 18:16

General

  • Target

    17035a233b766a61a98609e7fa0afd20_JaffaCakes118.exe

  • Size

    284KB

  • MD5

    17035a233b766a61a98609e7fa0afd20

  • SHA1

    a31a56c55de22f5366fa93de41b2496b3a7605c9

  • SHA256

    6e28a1eb98aef66d7c0103e3a88dcf0052fbb4b0262dd7f70e110452737ae5cf

  • SHA512

    8a396e85cafd833f6030ae307ebb1eff2fae969dee03d07141ecf7eff7a23535ebacfe98e7a5b0a6430d061883cda6e103a4a8bbb246728367dee931b180e875

  • SSDEEP

    6144:465/fUNTJx+nDGZ7j6JkJS7LVt0H9wEijOxAQy4q2ftluSxpsjiyKSeF:NhUNzODGZsXg9Xij3bz2HJEjiyKVF

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17035a233b766a61a98609e7fa0afd20_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\17035a233b766a61a98609e7fa0afd20_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\uninstal.bat
      2⤵
      • Deletes itself
      PID:2128
  • C:\Program Files (x86)\Microsoft Office\mcse.dll
    "C:\Program Files (x86)\Microsoft Office\mcse.dll"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      2⤵
        PID:2660

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\mcse.dll

      Filesize

      284KB

      MD5

      17035a233b766a61a98609e7fa0afd20

      SHA1

      a31a56c55de22f5366fa93de41b2496b3a7605c9

      SHA256

      6e28a1eb98aef66d7c0103e3a88dcf0052fbb4b0262dd7f70e110452737ae5cf

      SHA512

      8a396e85cafd833f6030ae307ebb1eff2fae969dee03d07141ecf7eff7a23535ebacfe98e7a5b0a6430d061883cda6e103a4a8bbb246728367dee931b180e875

    • C:\Windows\uninstal.bat

      Filesize

      218B

      MD5

      532af83e9ade2d6d863e3a02da6aaa60

      SHA1

      aeb9f35ee6042dfd58a36877784636b21804a4c1

      SHA256

      1ffb56a4b8de3386cc4221c76e37361ab017a22310f581a18d86d9296e1d14dd

      SHA512

      0519d294ac1c04328ad5f34c76eb842d33daf8c33e11e39b6d574ca37d0fa4e488860dfe475e0d7be230c4870986f7bba3d85db976b264d3defc7295de198bc2

    • memory/2116-6-0x0000000000400000-0x000000000051101C-memory.dmp

      Filesize

      1.1MB

    • memory/2116-7-0x0000000000360000-0x0000000000361000-memory.dmp

      Filesize

      4KB

    • memory/2116-17-0x0000000000260000-0x0000000000261000-memory.dmp

      Filesize

      4KB

    • memory/2116-18-0x0000000000360000-0x0000000000361000-memory.dmp

      Filesize

      4KB

    • memory/2484-0-0x0000000000280000-0x0000000000281000-memory.dmp

      Filesize

      4KB

    • memory/2484-1-0x0000000000400000-0x000000000051101C-memory.dmp

      Filesize

      1.1MB

    • memory/2484-2-0x0000000000280000-0x0000000000281000-memory.dmp

      Filesize

      4KB