Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/07/2024, 00:12 UTC

General

  • Target

    2e54cc4048d90189f67eb165881b9078_JaffaCakes118.exe

  • Size

    98KB

  • MD5

    2e54cc4048d90189f67eb165881b9078

  • SHA1

    ec661d97867d039cf2caf438e9bdcbce5ebf215d

  • SHA256

    c4e4c92c95c9655a8473627d06696463824feb7e7eb956b772f597ede4a29e0e

  • SHA512

    65bb3cd0329bc650deade336a53c4f2ac318245915614aa7da82d40aa0580252b9642aae6fc28c0c6d0f564eb8fbf86e6ed7c090190eacb032bb2a260734428e

  • SSDEEP

    3072:FyXZfJF4pwOe9Pnc+m/ehnS6eNi1vCJwnkUc:F+JF4pwOmhhS6Fnk

Score
8/10

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\2e54cc4048d90189f67eb165881b9078_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\2e54cc4048d90189f67eb165881b9078_JaffaCakes118.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1908
        • C:\Windows\svcr.exe
          "C:\Windows\svcr.exe"
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2196
        • C:\Windows\clb_injector.exe
          "C:\Windows\clb_injector.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:7564
          • C:\Windows\svcr32.exe
            "C:\Windows\svcr32.exe"
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            PID:7632

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\clb_injector.exe

      Filesize

      153KB

      MD5

      94c7acc59d8965d53f427f9ab9cad052

      SHA1

      9812a93676232d07638bcbab87694294c2e55ade

      SHA256

      797b0dfbbd2fcf0b621c576647bd4c2396352ec5baab261f3c409d75fca14341

      SHA512

      dccb40b90e7d16865228575a4747ba1946fb30226cad63b9bcb388bdb526d64b965d2e4698ecef83d241519a9fd8effff6d176139ec4a6185f967f557bf1547d

    • C:\Windows\svcr.exe

      Filesize

      134KB

      MD5

      854db12fdc28dfe712aa9005f8039341

      SHA1

      9d0ee1d9e3d35a0bf607efa172de155202ef9404

      SHA256

      c31cd269c069f2ec235e979175e6f24af0fa44ba4bdbea1a938ee4a52ec4258d

      SHA512

      3ee61806ca88ef720604e5985c3d52c43770b5a75b7a833102176ff1f79753b12547368f888b62d8599673058c007f143ffcd3eda0d8c841227eeaf49276444c

    • memory/1192-12-0x0000000002190000-0x0000000002191000-memory.dmp

      Filesize

      4KB

    • memory/1908-0-0x0000000000400000-0x0000000000461000-memory.dmp

      Filesize

      388KB

    • memory/1908-10-0x00000000008A0000-0x00000000008B0000-memory.dmp

      Filesize

      64KB

    • memory/1908-1564-0x0000000000400000-0x0000000000461000-memory.dmp

      Filesize

      388KB

    • memory/2196-11-0x0000000010410000-0x000000001042E000-memory.dmp

      Filesize

      120KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.