Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06/07/2024, 15:10

General

  • Target

    289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe

  • Size

    607KB

  • MD5

    289bdd184a7dbd1f02f3b35de92d8c04

  • SHA1

    7cc34e320093129287d05a4cf33f41c1d5683c02

  • SHA256

    5dceba157be9d2d78623211de8f4177ca9ac99356b444f291a0462f3f21e387f

  • SHA512

    c77c5b91fb6d20ee8b04c0206ea3450b05c40e0865a746ac9dd557f771451a66eca0b66e066880718daa6c0ef36671c7057ac3f38cb91665b9cf321339f96c38

  • SSDEEP

    12288:Iam7zyxnVVejG4q0lAGiqT/QK87nE8UKeA9N47oVMm:IamvyWKHGiqT/q7nEaeW27oVN

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Windows\svchost.exe
      "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1944
        • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
          "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: GetForegroundWindowSpam
          PID:3004
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:2536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsoB52D.tmp\ioSpecial.ini

    Filesize

    582B

    MD5

    d26dcb6bfa4b4c31960d6eb17e6caaef

    SHA1

    80f8fa285214c2d635d0c57c8da0a1840c5170d6

    SHA256

    0549599a12d292673d9101464428feba93ce4026423040d84a8be360f9b60734

    SHA512

    acfb06b2fc6c8f65f657d7c03787aa9cc1e2686968908f63769cd08b0685013602d3d7d34e1c2a7d11cbddba77e011a2772391611838424bdc03b4f902eae5cb

  • C:\Windows\svchost.exe

    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

  • \Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe

    Filesize

    571KB

    MD5

    0b0aa621e74bdd37d35f8f08a639bcb3

    SHA1

    b83cf71fdc7823a22b08d3764f44bf8873946a63

    SHA256

    8b1e4e6e9d5732fd1a0492808946debac7d46b545bf1b2640b64e0ff4e601f9c

    SHA512

    a2ea86ee0c734ad9c5eb4e3289c7467f31b29289c8e7bb709a8aeac4737bed7d9eaa47c70f697d5c20f705afbabb7b22c1e8a1d8fa86ca835a30b6ea34b1b96d

  • \Users\Admin\AppData\Local\Temp\nsoB52D.tmp\InstallOptions.dll

    Filesize

    14KB

    MD5

    0dc0cc7a6d9db685bf05a7e5f3ea4781

    SHA1

    5d8b6268eeec9d8d904bc9d988a4b588b392213f

    SHA256

    8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

    SHA512

    814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

  • \Users\Admin\AppData\Local\Temp\nsoB52D.tmp\System.dll

    Filesize

    11KB

    MD5

    00a0194c20ee912257df53bfe258ee4a

    SHA1

    d7b4e319bc5119024690dc8230b9cc919b1b86b2

    SHA256

    dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

    SHA512

    3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

  • \Users\Admin\AppData\Local\Temp\nsoB52D.tmp\UAC.dll

    Filesize

    17KB

    MD5

    09caf01bc8d88eeb733abc161acff659

    SHA1

    b8c2126d641f88628c632dd2259686da3776a6da

    SHA256

    3555afe95e8bb269240a21520361677b280562b802978fccfb27490c79b9a478

    SHA512

    ef1e8fc4fc8f5609483b2c459d00a47036699dfb70b6be6f10a30c5d2fc66bae174345bffa9a44abd9ca029e609ff834d701ff6a769cca09fe5562365d5010fa

  • memory/1656-15-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/2536-115-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/2536-131-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/2552-5-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB