Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    28/06/2024, 05:48

General

  • Target

    1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    1902d2fb07fd303208824e070a491a14

  • SHA1

    c8d4f562bb1441188a33401c736e95c87d9fae8f

  • SHA256

    05d4d6d0f15dec78b1b4a418b8081b720245dd92f09fb32f4f69c6af9d39a8df

  • SHA512

    0a21e11de4c87b814f8817338c272ca33b51c7d9472d6bf849a9dec423eb4738eb2fd26c59f918e72f898d71c5c7383e8829391dcd2931f511e0cb16ed64200b

  • SSDEEP

    24576:w/Af7uuZB2MiMKLv7kLxOPdERHrqPiBfhcvLMc2h:w4CuZhiv6gP8H+4c2h

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Users\Admin\AppData\Roaming\defender.exe
      "C:\Users\Admin\AppData\Roaming\defender.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\defender.exe

    Filesize

    928KB

    MD5

    aa22e20b540eb40879f1749c3c36ee0f

    SHA1

    20aecb3226fc7dc485e86364b79b6fd4fc32b6a8

    SHA256

    c50aad64113a8b46b780ed4c8b10ead9eee0fbf7bb76caa6f8de3ca9cda6f389

    SHA512

    a53c9864f096b742556cd54c5f8f4824054f8139ee9e63d0b7b0afce612e9548da742eed355adfc27a6419912fa0e3e34297a395810d899fd5a398a7348f965c

  • memory/2436-26-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2600-19-0x0000000002E30000-0x0000000002F13000-memory.dmp

    Filesize

    908KB

  • memory/2600-20-0x0000000000400000-0x0000000000A6C000-memory.dmp

    Filesize

    6.4MB

  • memory/2600-22-0x0000000000400000-0x00000000011C1000-memory.dmp

    Filesize

    13.8MB

  • memory/2600-25-0x0000000000400000-0x0000000000A6C000-memory.dmp

    Filesize

    6.4MB

  • memory/2600-24-0x0000000000400000-0x00000000011C1000-memory.dmp

    Filesize

    13.8MB