Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    124s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    08/07/2024, 19:28

General

  • Target

    2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe

  • Size

    175KB

  • MD5

    2d8d1633510a9eb0b8495953e2697461

  • SHA1

    cb6f307755eb5130b7b4e092057ea7a0d934726f

  • SHA256

    7fa993c16abce154e66fedcc34a1cc425bbd6fb415b18ea62a42c816612f25ed

  • SHA512

    da83f74629794e9ff71f7bece9b5b6d00bb0d5467083368af92140fe11225a369a547e8c122aa0fffe896d77db7db8bf6b1ad6f41fb08315103bdc016c07c6cd

  • SSDEEP

    3072:9hr1wTT9cHlar+puWV8KsB7dIjxFlihpL3LPje6Per9qMCD6zJK2Uc1jXsZwe6zp:9hWn9FrRo8KiSjxu1LPjerx9JzVUcheQ

Score
7/10
upx

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 21 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 12 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1980
  • C:\Windows\system32\dllhost.exe
    C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
    1⤵
    • Drops file in Windows directory
    PID:2080
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2752
  • C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\SearchIndexer.exe /Embedding
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Windows\system32\SearchProtocolHost.exe
      "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1100
    • C:\Windows\system32\SearchFilterHost.exe
      "C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516
      2⤵
        PID:2856
      • C:\Windows\system32\SearchFilterHost.exe
        "C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516
        2⤵
          PID:780

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

        Filesize

        1024KB

        MD5

        7b6ac66ede0afe071d47aa1261ee90ba

        SHA1

        2bc61e836bcb3f445d8ac6c2d5d65092a9799be9

        SHA256

        1d336c28b20e2f446d109ed833cd3aa4ceb3142f97d67466b357c7640b51e9b1

        SHA512

        445e79371c2d4707a8e2c7d2c5d19d08779957f9c0dd9ee8223ae1df78cc123ed33ed73ff067ab77464f489ca36fa8201069351e811f3b90aa7ca47fb84766ef

      • memory/1980-1-0x0000000000020000-0x0000000000021000-memory.dmp

        Filesize

        4KB

      • memory/1980-0-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

      • memory/1980-81-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

      • memory/3064-35-0x0000000002F30000-0x0000000002F40000-memory.dmp

        Filesize

        64KB

      • memory/3064-19-0x0000000002E30000-0x0000000002E40000-memory.dmp

        Filesize

        64KB

      • memory/3064-61-0x0000000004240000-0x0000000004248000-memory.dmp

        Filesize

        32KB

      • memory/3064-62-0x0000000002810000-0x0000000002811000-memory.dmp

        Filesize

        4KB

      • memory/3064-68-0x0000000002810000-0x0000000002818000-memory.dmp

        Filesize

        32KB

      • memory/3064-70-0x0000000002640000-0x0000000002641000-memory.dmp

        Filesize

        4KB

      • memory/3064-79-0x0000000004250000-0x0000000004258000-memory.dmp

        Filesize

        32KB