Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06/07/2024, 10:13

General

  • Target

    282e23f486723503ffeab416cb799166_JaffaCakes118.exe

  • Size

    562KB

  • MD5

    282e23f486723503ffeab416cb799166

  • SHA1

    4463fb14356706e2123851326e7489fc81c574bc

  • SHA256

    8e747fb2b7d505cba81f96b4b1666ddc0553745fe916750a79744d0698c6db7b

  • SHA512

    4d9282057e02e9045bbd3bf2cf458f4a9046a3d8394216afea8d66386ae7083365d4a67bef79c03545c9e4ad13970c0b065262183da4e28ecca49b1666471fae

  • SSDEEP

    12288:RJVjlDXEddgye5izmXrHjcdLPOMxl7mUqS3KPcdW5pd:RXe/O5TXncdLLxl7L0N

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1324
      • C:\Users\Admin\AppData\Local\Temp\282e23f486723503ffeab416cb799166_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\282e23f486723503ffeab416cb799166_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2224
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FASTPI~1.EXE
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FASTPI~1.EXE
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2420
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\icon.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\icon.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:2032
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c \DelUS.bat
            4⤵
              PID:1908

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\DelUS.bat

        Filesize

        166B

        MD5

        89082e83de4dc7c833d29bedba560994

        SHA1

        6721ef885670ee3ca5de8d845a780e052082f9f9

        SHA256

        07ed6cd57a54ce6846e18f067e6537147d9ad483c6c594d106cead3966284fc6

        SHA512

        2da8fe72c4f777cdd1f51a2f3312d15472af8ad24b9d66c71da8044c0a7c7f4e4e3cdb7c76f38816104c70e69feba9a829392012521a6703bbf7774c656dc361

      • \Users\Admin\AppData\Local\Temp\IXP000.TMP\FASTPI~1.EXE

        Filesize

        880KB

        MD5

        8ba64a91769ae862c9959dda68c7006d

        SHA1

        3e90f9c212507efdb53cd9225ee4f2e812a0619d

        SHA256

        b581d86d0f64355469f487cf5a000e0cd9b4d6caa11f75341e42d6be9492fbdf

        SHA512

        d9866cd53e4b6226ef4cf260663fb9354fd72c829f270f236179e59a536882f6add77698447d08204372fedc216997df98033f75da4bed6d70e26bf2497ae98c

      • \Users\Admin\AppData\Local\Temp\IXP000.TMP\icon.exe

        Filesize

        64KB

        MD5

        51664dcddadc86db4da4fc4ed4ddfc3a

        SHA1

        4d6e9a9d00012591fbf80746ea3514eb7a278524

        SHA256

        1bc3902a6a7073d5f6a3051f1107004c2b268cb6d03f2f1f98c89e3b247322a2

        SHA512

        b306497e84b05688657c5c677cf9ac931454b80e27c2ce2cffd9d6bf258baa313a77b748eb4f21f2363bed8465b7bc68e09348d1244fe9c16ebff68431a02ca0

      • \Users\Admin\AppData\Local\Temp\nstC6AA.tmp\DLLWebCount.dll

        Filesize

        28KB

        MD5

        d825e4003d1697fd4bc45361e222746c

        SHA1

        e9d4b1073aac15d4dbb430471fcaea549e633d13

        SHA256

        c79e4be74eecf16f2f7f1d39724c938bf372e9568bb96fa4610926a57fe323f5

        SHA512

        7740a18cae5a42963c748a49ac6175482c93b34dce703a7cf24f5828ee6cdc19eb2669a634b64c2a4c861272f7e9b9e943455195a7cd6afcd8fa5586744eb86f

      • \Users\Admin\AppData\Local\Temp\nstC6AA.tmp\SelfDelete.dll

        Filesize

        24KB

        MD5

        7bf1bd7661385621c7908e36958f582e

        SHA1

        43242d7731c097e95fb96753c8262609ff929410

        SHA256

        c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e

        SHA512

        8317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f

      • memory/1324-13-0x0000000002510000-0x0000000002511000-memory.dmp

        Filesize

        4KB