Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    01/07/2024, 18:43

General

  • Target

    1c186f01de5b2c94942e630f4f777d18_JaffaCakes118.exe

  • Size

    697KB

  • MD5

    1c186f01de5b2c94942e630f4f777d18

  • SHA1

    2ed4384640595888c23d90859180d95a64b1f504

  • SHA256

    d3d07d5f9818f7531fa667fefeae8627bb5141c538973624d6c4e403387191b1

  • SHA512

    bc41502b306a20eb99a14a4511a71b37dd25a0e7f43588a80979cc85e2702f558da28213a77585dac3e8005ca215ddc6625b4f2148f6998dcbc57766d5ffc616

  • SSDEEP

    12288:iPPMnQwGCh8TBgsy3h8VJO5hWzRzONjx5dFacPes8FFi3PpXG1/licdVhANT7yk6:EtwNaBg3IOxNjLdF+UG1/lDdVhkCkMPD

Malware Config

Signatures

  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 10 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 47 IoCs
  • Modifies registry class 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c186f01de5b2c94942e630f4f777d18_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1c186f01de5b2c94942e630f4f777d18_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Modifies Internet Explorer settings
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    PID:2200
  • C:\Windows\SysWOW64\wlanmsm32.exe
    C:\Windows\SysWOW64\wlanmsm32.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:2620
    • C:\ProgramData\EhStorShell32.exe
      schutz
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\560036071

    Filesize

    31B

    MD5

    f1de3eab3cbd2a578f8825f7a4c7b1b6

    SHA1

    d8b5bf882e8afdec0dcee008478f91e0bafed717

    SHA256

    2bdea09240a74b197ae6257ddb8215247519b0b7b85d95227034fc93086bacc3

    SHA512

    12148dd0bf1be49fb91dcb4998e4b9f7eb91d0a7c25693856db741d7ae8561a1652e697af5394b8dceedc78e326ccebabe758b7adf9d618b84c18f14dc509866

  • C:\Windows\SysWOW64\560036071

    Filesize

    119B

    MD5

    daca5f70020bf70c7828d6504840fdc2

    SHA1

    f3887e67952f804c5d65fb3cc2ee53c320d72f8f

    SHA256

    07fc0ee6cf5782435ca42faafe37acd44d4a02d89f3bda290f7c6f9d4cd7ae44

    SHA512

    5d323569ede1b260a51577fcda27bfb5b542d9213d3eaf5459dfc5036eadd61d0aef770b003ec3a6e49b9ae26ab1c4b70f503341927af19a910f89ec476aa4cb

  • C:\Windows\SysWOW64\wlanmsm32.exe

    Filesize

    697KB

    MD5

    1c186f01de5b2c94942e630f4f777d18

    SHA1

    2ed4384640595888c23d90859180d95a64b1f504

    SHA256

    d3d07d5f9818f7531fa667fefeae8627bb5141c538973624d6c4e403387191b1

    SHA512

    bc41502b306a20eb99a14a4511a71b37dd25a0e7f43588a80979cc85e2702f558da28213a77585dac3e8005ca215ddc6625b4f2148f6998dcbc57766d5ffc616

  • \ProgramData\api-ms-win-core-localization-l1-2-032.dll

    Filesize

    153KB

    MD5

    3494d0beafff6f1672b16a01a0873826

    SHA1

    5077257165269518bc76e614f0e9e7d7588036b8

    SHA256

    107830b02b99f72f28abef77d7217204814af8899e41c083b342d04fdf71b8f2

    SHA512

    fb29634f8133714359c4d90069d3fc309dcecd96fd0641955a443c1a723470ff5277f069cf380dff79d6ddd1357525bed6593ce7d9f78a011624eb59decfb5ef

  • \Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll

    Filesize

    324KB

    MD5

    7c3222a9593ca198d3ac9e2f36c6928d

    SHA1

    2ce6d6b839f9d24ea564aa1cfdb74f9ba9ce13a6

    SHA256

    93c35bb94e3c87c54d04089fb4f392234bf12ad249a9ca4eb20743b8e47b2ab3

    SHA512

    2edd96c261179ba971f3a395d969cc11dc3ea92803c8443f936fc6ec08e338a39134808f1133fa4f59b45120c1cf6a4ebd839715f41159225a6d5be823805e64

  • memory/2200-29-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

  • memory/2200-1-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

  • memory/2200-6-0x0000000010000000-0x000000001008C000-memory.dmp

    Filesize

    560KB

  • memory/2200-0-0x00000000004B0000-0x00000000004B4000-memory.dmp

    Filesize

    16KB

  • memory/2200-28-0x00000000004B0000-0x00000000004B4000-memory.dmp

    Filesize

    16KB

  • memory/2200-5-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

  • memory/2620-36-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

  • memory/2620-24-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

  • memory/2620-34-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2620-66-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

  • memory/2620-67-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2620-79-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2768-63-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

  • memory/2768-68-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB