Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2024, 21:27

General

  • Target

    3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe

  • Size

    593KB

  • MD5

    3673d5090b77a0b033da84545fda2f0f

  • SHA1

    010d2e93a19af30eb6f17052abd855933edc4873

  • SHA256

    a6e63d38a8ebe09d0c09b45d7245137f1cdd0e7e9e978997814ea9bd6c33ee33

  • SHA512

    05f91a2f9dc112b80bdca6db4ccc907041ad267812d9aa514d513c2d9673b9b4aed48699bf019d2dc95e7101bb9601334d6e17d4f77f7ba2fb85303f3c7349de

  • SSDEEP

    12288:a39mSPuqDWEB1l9gvW01XM/f85jsz1+ruUA+lpOxuGzVg7I:ymS2savWoXEqsB+S+lUkGO7I

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\luiCDBB.tmp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\luiCDBB.tmp\setup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\luiCDBB.tmp\SP-Fantasy_Installer.msi"
        3⤵
        • Blocklisted process makes network request
        • Enumerates connected drives
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2252
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 7DFCA485B2D0A0A1EF29153C5F384D86 C
      2⤵
      • Loads dropped DLL
      PID:2532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSID29D.tmp

    Filesize

    222KB

    MD5

    fb4ed24de182178cac3cd3870a4ba5b6

    SHA1

    38b168fbe97b72a5de5eaef16535ea1aed964e1b

    SHA256

    5070b4cdf7e2f95535f3340a3a0d9bce496478d0bd445b470dd67278a910c578

    SHA512

    03ffa685a28333cc7d8eb4a0fdd8c5dce85ca1126bcdefebda83a91586b98ae559d56074b943a6df0ec011eaa58b6841026ffb8b42e08b74351b0118011d3c9a

  • C:\Users\Admin\AppData\Local\Temp\luiCDBB.tmp\SP-Fantasy_Installer.msi

    Filesize

    524KB

    MD5

    149c5470d721e646952cea819487ff28

    SHA1

    5e6ee0a902135f80aea5adace0ea07c03cb82b4e

    SHA256

    f8ca4710cf343b7afe9fd6003a8387374a709feb5929f7bc0ff54c5cea5148b7

    SHA512

    a2cbf9418d207d8321050cbef4fde3900f9b857441f5e22f400a7eadc948c0ee421946e0208af5761ba34f6b2e58c52f7fe632a22cc487c261c577d4747b5cc4

  • \Users\Admin\AppData\Local\Temp\luiCDBB.tmp\setup.exe

    Filesize

    366KB

    MD5

    b07a06446303767f1c8c26bc1ef83baf

    SHA1

    94aa8c6ddd5f6e96867e997f150c63ebf1fc0019

    SHA256

    349df2da098acb773284ebf50503cab096c949cf4bb63d75e96d75bed7937564

    SHA512

    be1592432745c66e7c5eef56dd452ca32dd9e461eb7522cd3e58a2dde8f4341c46aa2fa44be1a72151e259dd2fd7cb246091040e05486a5ee5f042077dd234a4