Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    07/07/2024, 00:56

General

  • Target

    29a079948174116c25df96b80238c07f_JaffaCakes118.exe

  • Size

    151KB

  • MD5

    29a079948174116c25df96b80238c07f

  • SHA1

    5e50326fa7e6ff9650971052adb8124eae0c621d

  • SHA256

    992ba58cf87b4b307362ff41b64fc8f99c5186079f88ee5daf5b999f693af2db

  • SHA512

    2dcdb67881f7ec9ae55631eabfc3385b3eaf9eeaf842565ce66feb56ca2bd3e125b97b74941b4d784e4a1c2216878a1b191c66fa64fd2a623c632259d973ee75

  • SSDEEP

    3072:OfPyc9y35l5cFtSkkT53t+ImJvBKiuDTcZXah0YMq5kSs:O3V9y3/ctSkkTR7mzoWXYrC

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\29a079948174116c25df96b80238c07f_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\29a079948174116c25df96b80238c07f_JaffaCakes118.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /s C:\Windows\VUX.dll
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1560
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Windows\OYA.bat" C:\Users\Admin\AppData\Local\Temp\29A079~1.EXE"
          3⤵
          • Deletes itself
          PID:1652
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Windows\IAI.bat" C:\Windows\VUX.dll"
          3⤵
            PID:2232

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\OYA.bat

        Filesize

        53B

        MD5

        bd8acf285d4f871236e232fccfb16d38

        SHA1

        271c40bdb1a4e92278756911016a0ad7b17b6914

        SHA256

        b7b5ba6b72dc5e61ce416bd8a78ec3965bbcee380ac6e05ae95eca15ce2dafd7

        SHA512

        349c7c0dbf2ddb920a6cf4ee510ffb05a382a10d5dfbd47a0aade44e2c8f30e94ebc11b06e6b56c08b661448087e2d4b4e699b7ce922a8344181f11d4cfe5fc1

      • C:\Windows\VUX.dll

        Filesize

        132KB

        MD5

        a8e72bd0dc3ed31386071b9ec11c6ab7

        SHA1

        5b4e351310d2aa2b92ae15c6dce666efaac0b4a9

        SHA256

        6112c4f46405cd336e93b148e33dfbda6eb0d9f3c32a63c8f727a6b48e2332c1

        SHA512

        9f2ffcce239cee78694ef6a4f774fcdecb038ac87dad54ca3a7eb31dc062a988498201ec3aac0e5cb159324962750e67c0296ec10a35a84923e2130aee22e1f5

      • memory/1204-5-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

        Filesize

        4KB

      • memory/1560-2-0x0000000000160000-0x0000000000188000-memory.dmp

        Filesize

        160KB

      • memory/2420-20-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB