Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    03/07/2024, 04:00

General

  • Target

    21024467f4f723134072effd5e5d2eab_JaffaCakes118.exe

  • Size

    417KB

  • MD5

    21024467f4f723134072effd5e5d2eab

  • SHA1

    e19dd23ad7f1549869df1d93f22fd3b23b7a5c20

  • SHA256

    9b9f5691ab01b2a6dd5a006d26fb6b9c4cbc1157143cee897d5db0c1847483a4

  • SHA512

    d648797462aab169c09c1c16ee0f47268e6445b1b8e3a264514f0ece2d7c092bc659de6c76284bc82ba0ec96659093a51a8a7f23102ad06c5f30daf63b1f30a1

  • SSDEEP

    6144:Fk4YCqLZh14jvgvqh9Q0CUSGTEkARBNDgbq8M9Mxdb9feBc1e:FKh1vqhi0Cy4kARLBak

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21024467f4f723134072effd5e5d2eab_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\21024467f4f723134072effd5e5d2eab_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\ProgramData\nNeMpEd01808\nNeMpEd01808.exe
      "C:\ProgramData\nNeMpEd01808\nNeMpEd01808.exe" "C:\Users\Admin\AppData\Local\Temp\21024467f4f723134072effd5e5d2eab_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \ProgramData\nNeMpEd01808\nNeMpEd01808.exe

    Filesize

    417KB

    MD5

    880da3d66e62cb60f177a7e06fa0ee4a

    SHA1

    871657113edb1a48d6b7428d7b3a3f599b8e85b1

    SHA256

    86db16f7d0bdf87314ae7b4fd1cbc02c033052db2c9d76464e026579500108d6

    SHA512

    10a49fda7049c75b42f1553bbda21c804c643a6d92ed89438d2c4801880c5cc4c9801cb3794b76848723b6dd00adf0a64cd8496b38dc2d5ed486ad0713d9dccc

  • memory/1312-4-0x0000000000468000-0x00000000004B0000-memory.dmp

    Filesize

    288KB

  • memory/1312-3-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

  • memory/1312-0-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

  • memory/1312-5-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

  • memory/1312-8-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

  • memory/1312-1-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

  • memory/1312-29-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

  • memory/1312-31-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

  • memory/3096-26-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

  • memory/3096-25-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

  • memory/3096-30-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

  • memory/3096-38-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB