Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    04/07/2024, 00:11

General

  • Target

    23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe

  • Size

    354KB

  • MD5

    23f62fe026e1632b60e9bb0dc7857537

  • SHA1

    b790dbc0dd1bf407df7e92a65cc20ae1e76d487d

  • SHA256

    b7c18eb1f6597734af890ebb5fa3345bc3c90ba6f60cb934025c3d56343a63da

  • SHA512

    78e6cc5891d0f2f4e7b0b01a1837f8651157962c6535d6ed68a9d5f96fb4da879fb5058ea4990a021922e02ef1f59bab14c78959dfe89aa0a9634e5d593ba34b

  • SSDEEP

    6144:gDCwfG1bnxLERR9saMDCwfG1bnxLERR9saah:g72bntEL9/M72bntEL9/ah

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Executes dropped EXE 6 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Impair Defenses: Safe Mode Boot
      • Modifies registry key
      PID:2032
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2508
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\W_X_C.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1352
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2520
          • C:\Users\Admin\AppData\Local\Temp\avscan.exe
            C:\Users\Admin\AppData\Local\Temp\avscan.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2792
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\windows\W_X_C.bat
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2140
            • C:\windows\hosts.exe
              C:\windows\hosts.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:764
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
              6⤵
              • Adds policy Run key to start application
              PID:768
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:3028
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:2452
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:1480
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:2948
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          PID:1772
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1484
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:2728
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:2988
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:2940
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2556
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    757KB

    MD5

    a27e5d8c92fa8c13c12020e03a4807d9

    SHA1

    b8050ea87899a8b955cad2df055d4db7de6e465c

    SHA256

    a407fa91daba18747be6f348e8d8f1b814551a58d5cc37cffcf6edc9f71647d3

    SHA512

    5601e4565409423f7ad50d16536533d9e3fd8534d9967219d9ee82a418edf3f8df4a8ba6c8981cbf3040fc6ab8d7642768205e60ee5e8d713065dff56d4a66f5

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    1.1MB

    MD5

    769789adde82e420491147c536bfcecd

    SHA1

    50c5a415d151260608d15642ea7623c9509710a4

    SHA256

    8084d0c034dd6105ea7cbdca6988a0c53160529af166e1bc142e1eefdfc380f8

    SHA512

    a8420a148177625254e2c4c9b402999d904f5637bc62c2efcc9b3a22e8dbba012051bf2eb8e6ecdc126975b1ba233a1cbe05d4a83c8e7978c221486a1e528a2f

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    1.4MB

    MD5

    7756c8ce2beee23c10e930f157f523e1

    SHA1

    9d5572499f6ff398ca12dfd87306e1f7fff7aeff

    SHA256

    3be6a514a99514d6d86a2a2bd3de2534fef4ba1e92b771fb98e7d193a8f5d291

    SHA512

    cbc55d468845bdcafb47d78789427173651fac96fbc932194be2ab3ca3b0907b0e80cfb100fbde09fff575c038a5c03fc3741cc809ea665957cae0a67cf941d3

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    1.8MB

    MD5

    5fe949d7cc5931c3059290b744b51e48

    SHA1

    a9774d33e655ccbd606fccb2ed1bd5e4c0b0dc83

    SHA256

    619790eb663bdb615ffbbe857d3726cbfa6e89172d705b74f3a53375d11e2c9b

    SHA512

    96b88823f69caabb274f4e8165f58a92aea3494d431e35cf6891682044b6ddf219b74c490d4987a0cbb66719b38c2bef59608d2fccaf5b5c5d9bbb5255efcca2

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    2.1MB

    MD5

    57f4aeea61c498b9757a2ac34c037360

    SHA1

    d30b76abd617a91419cb50d7a8e1af7a3bcdb71d

    SHA256

    46a51664ce36506a6b701ad6a04729d5a41c82086009e309cae1908b98ccb1fd

    SHA512

    e9d62d39bbc22a22ad00cf1969f19fb702b08dcd076d8e99704ee72330412e04dac370ef1c3534f64b2cf75d929c72533b25dc8f18adc23b08ea074644ea36f8

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    2.5MB

    MD5

    72f9e2b4ca024d473143ecbb869f9be8

    SHA1

    47b7528b2cae0096a29feca66588e3b203f897a8

    SHA256

    94679529d5bd732f5d9376e5bc560306b788871ac3e4d5d6607115ce4f74d2b3

    SHA512

    4264d0fbc35ea61e8ea50a8e58fa084a3a5c8a89b14b5e059e0e434d53fcf2292d9a6ea1629146cad4a5acafc996fefddf1a85458c6f6415200d85f657311eee

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    2.8MB

    MD5

    f08927f29cb4d42f88e46e5e12e06ecf

    SHA1

    fba217b258fe31f3bfec70630f598e5c003a7b95

    SHA256

    8a9de13041e61fdec28bd94a7d50cee665726d4174923311d8af5d5b8821887b

    SHA512

    1b7ca4ccbee3ce5ca18bad68fd45f6290f8d2b57e852091e87c1380237a6c0ee22b9140cc1adc0bf01d30c30730b802e568472fc2362e4d95a6f0c7ba99d3b96

  • C:\Windows\W_X_C.vbs

    Filesize

    195B

    MD5

    7fd017e8c0f6e808ab92dd24fc015f50

    SHA1

    917f0c6f8588a70a1044dfd2b0dd94d2738ac705

    SHA256

    009ab8b53bde4a5b671cddc837eeab5e1023557db347ed33f355d75d230d0ae1

    SHA512

    91f7dc20c39ddb47221416ec3ffd8b91e1ccdfe2cb8b60294380df08c6e4edef19387da198107eedb47a75e7ad311cc5933095eeddfcb47d7d45d5a8b0a40ae3

  • C:\Windows\hosts.exe

    Filesize

    354KB

    MD5

    cced3a528d346f900f9aeb4d105e4a12

    SHA1

    f023300b62263c9c5adeb6d07d2d9409d26d889e

    SHA256

    3c025eb20b17c0cf80636674c30048e849ecec0d0d21fd7b5f761c426548abd2

    SHA512

    bbc6905d42382937b749bbc55b3fa7356f8dda997bfd634801499ba1619809c351fc2f1ffe0dd0e498b1cd6ab73396d06a5efa2b46886e33772dc7e39d2dc8ee

  • \??\c:\windows\W_X_C.bat

    Filesize

    336B

    MD5

    4db9f8b6175722b62ececeeeba1ce307

    SHA1

    3b3ba8414706e72a6fa19e884a97b87609e11e47

    SHA256

    d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

    SHA512

    1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    354KB

    MD5

    62ed18b2a3d928025cc85b04d1a8d199

    SHA1

    6416828bc3fef7da3629d8a94d81ec31a44e5dfb

    SHA256

    938f4c4b7aedd3f41f20b8440cce9eb050527d02539cdb63473ea32dc5202771

    SHA512

    96a82b1f7bd1f00c0d7d26a47d0d60e63ba4148ee3f11915da3e1af41130ab41d4a3c630c3b3d9f24e4ba00370532246be3da96077655a44225d53071f8d9d85

  • memory/1352-47-0x0000000000570000-0x0000000000670000-memory.dmp

    Filesize

    1024KB

  • memory/2792-49-0x0000000000230000-0x0000000000240000-memory.dmp

    Filesize

    64KB

  • memory/2792-46-0x0000000000230000-0x0000000000240000-memory.dmp

    Filesize

    64KB