Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    04/07/2024, 21:01

General

  • Target

    26327da6e573339b69f246faa5d61a02_JaffaCakes118.exe

  • Size

    416KB

  • MD5

    26327da6e573339b69f246faa5d61a02

  • SHA1

    2ab4b6cf42e8b52fed191f557a2eda8dd7d9aa98

  • SHA256

    ffd87244c6ba0b9fd449d8c3e80a3140db91f0128deb629163a6a21a0eaabf3d

  • SHA512

    3b941a5631040d26a299e75960fe9d0e7332dfc6414cb6da78de13208115b2746cea483e90639b2de5afb87455ec80e23e70b3d1c0f6a6e25c758d52b8170b32

  • SSDEEP

    6144:s6b2I7dBJY+l8EAnddMJfnDnDYiktjAg2SDj2uqLUITtjtz:s6qIprYLsr0iktjrpDSFJ

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26327da6e573339b69f246faa5d61a02_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\26327da6e573339b69f246faa5d61a02_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\ProgramData\gPhMeOi12804\gPhMeOi12804.exe
      "C:\ProgramData\gPhMeOi12804\gPhMeOi12804.exe" "C:\Users\Admin\AppData\Local\Temp\26327da6e573339b69f246faa5d61a02_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \ProgramData\gPhMeOi12804\gPhMeOi12804.exe

    Filesize

    416KB

    MD5

    842239c5288969329bacc27a904c0da7

    SHA1

    fd231f954d995923498af22e8ba8101bf991cfb2

    SHA256

    1837bc34626dda0af07599ec7c00c6c43598465d9a69f85bb1f8656c76544677

    SHA512

    bdd0e641d71f9c9059b565c86ec8a757bf8e1e3d5b96008cd4d9f5e8da73dd3ae176f25bace6523c0060ff1f7f5b9138341cf02564940bbb76c4fc57ad1b478f

  • memory/2924-22-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

  • memory/2924-26-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

  • memory/2924-42-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

  • memory/2992-0-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

  • memory/2992-2-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

  • memory/2992-4-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

  • memory/2992-3-0x0000000000403000-0x0000000000404000-memory.dmp

    Filesize

    4KB

  • memory/2992-5-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

  • memory/2992-25-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

  • memory/2992-28-0x0000000000403000-0x0000000000404000-memory.dmp

    Filesize

    4KB

  • memory/2992-57-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB