Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2024, 08:53

General

  • Target

    340d8df768269411ee6196e347585b68_JaffaCakes118.exe

  • Size

    1.9MB

  • MD5

    340d8df768269411ee6196e347585b68

  • SHA1

    c9a828abe5fbf97f3593c9797c4fb7142e4b482d

  • SHA256

    893ce8410fb15a7802523f033f4abdffd8ef35c1a2342199e6c09c54173dff9d

  • SHA512

    e03a0ba6521f2b30da8cc7c6948af23bfbfb4d532a605187d607cac6810e3c9161dd4f1a4f2d3f4b36709c8ba349831daae8cc44ae7cfc74657c18a25fbfa182

  • SSDEEP

    49152:fHqjfedt0TY2oHtMYQ0M/pBi1tR6TRJLu:Wfedt0TYH+0M/pBmkTjLu

Score
8/10

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Loads dropped DLL 8 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\340d8df768269411ee6196e347585b68_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\340d8df768269411ee6196e347585b68_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\IFViewer\3210711948\FP.msi" /Q
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2904
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DBAD0E81128112A7DE245C966EFC4E27
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:1340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f77284c.rbs

    Filesize

    10KB

    MD5

    daaf72cb84a9d198cf4876278e01dc48

    SHA1

    bcb5d972c060175e6b58959063b16482a3ca7f6d

    SHA256

    a5ac925fa7650149f9967b559f6b17a9e3a13400564c090d5a47c6672a2671d4

    SHA512

    5d5891fecd3f41dc889be10e7df40104667c979d6c7de281130788b619d329275f8785e760db9ef9922f9077a20079c4c9bf03db6e4020bc21d2d24068689fab

  • C:\Users\Admin\AppData\Local\Temp\~2C3E.tmp

    Filesize

    397B

    MD5

    1558c7133098a2f21a33b189f8134299

    SHA1

    9340efa292ffc561036165a6d6578bdffcef11f5

    SHA256

    0d69fbb9c0d1a609986f11ab226c7f60a141db9d09d96a41542bb0bf9322eb9b

    SHA512

    7339d19f23f78371656629fef6a44c94631fda1bcc1ced07774c4e5dcf9a969311cbc4fea22a17630d6249a1fe9558370d960cba7639abbb787c4b8e03deec61

  • C:\Users\Admin\AppData\Local\Temp\~2C3E.tmp

    Filesize

    392B

    MD5

    531a7d7a940f817bdd8f432f9faec78e

    SHA1

    acd9188cc4126b60859e16142a06db4bc74de0ce

    SHA256

    6fc66063f8c26ddafbe161acfd0a5bb10d562a5b6e27f9dc66847806ea0de240

    SHA512

    8d055fbedb852f8b4ff0807dfd5c0fe63d45c27c1edd5f1edbf2d6647c214fa5ed45a3ff67d93a08f9e55a753fa5237e19b54d59d4168c7a605c1021cff128a5

  • C:\Users\Admin\AppData\Local\Temp\~2C3E.tmp

    Filesize

    386B

    MD5

    2357e7b2a591b85b9d1f492d39e4c894

    SHA1

    d917b0a2e35547d913b51c0ad9103b7514c02a73

    SHA256

    90a5c2612a1a3a5e35de806f56d9520c457a4605d104f596c330e143cbe8fa71

    SHA512

    5f2f2d186b8ec882b44a9e6a116e2869f99740d66dc1ec498ecb8e7cae8b5ad9a7babac416133cae61165713b5aa429b5c2490cc3f03b8c5af879b6fb81456f7

  • C:\Users\Admin\AppData\Roaming\IFViewer\3210711948\FP.msi

    Filesize

    1.6MB

    MD5

    ec72ab0a198db9fa267a110095aff70a

    SHA1

    7ace4d0b2799efddea2ebeaa687feb84583711ce

    SHA256

    086075830772885fe24607bcf8ecd186a1d706f7f57436aed2175667a3cdfaf7

    SHA512

    cc4d92b629bde79686aa180323f57aab99861733b6be163b0419616b636aac8999e7ee5c14595a69daa98365848116a10d5e472e4490ff84622247ba437e0339

  • C:\Users\Admin\AppData\Roaming\IFViewer\3210711948\Workspace\solido_si.swf

    Filesize

    5KB

    MD5

    987b70002a8334d3f2d1ac7cfdf408d8

    SHA1

    1e2bc822dfdf08a6cb0afb9fefd49f12e486679e

    SHA256

    1677357b0b7a7bffa468a4a2b7b0d5fdf6b539b89fdda8d67c04552f56252acf

    SHA512

    f5c98b104f1b7f3ee39bb52d6b26f03a7250569b4a9197ac4fc1e269e475ddee96b25e25d2bc664a65f613b5a4a2003aede44d17c53572b0bc5245ebbeae5e98

  • C:\Windows\Installer\MSI29FF.tmp

    Filesize

    80KB

    MD5

    f6a6b99623d80fc8e10d04a82f61a806

    SHA1

    fa1d7586ec148d4caf5f4258bc6a495c28b5955f

    SHA256

    adb43809b9d164a220cf80045fcbb4aabd665f83715ac05def245ede8e0f1355

    SHA512

    812bf82bb81a576c4079c27460d18b9fe02457a49715c93ede665c3070a000144585ca779df1083a8ca84ff5a42ad50f70ae9d31a058da1c05b0e1766f6555ec

  • C:\Windows\Installer\MSI2C14.tmp

    Filesize

    104KB

    MD5

    41c809ec8fd59ffcbfff35da8d9cf41b

    SHA1

    c6e8b1ef8fcd49ac88ce097157beaeff4d7468e2

    SHA256

    fe9b3c74f09a6c66dab66269550f277c8aa82c7e93b5e9963a116c44619d55b2

    SHA512

    e51ecdba17d0aa037ea6e229e66879e50317b677e2b4760a4dcb7883ab49598b3b166e9b26dcfab5a1904373d70af6234899092bc7a614b9fca14cfbed0ad42d

  • C:\Windows\SysWOW64\Macromed\Flash\Flash8.ocx

    Filesize

    1.4MB

    MD5

    900373c059c2b51ca91bf110dbdecb33

    SHA1

    102b086d6054c2cea813ef316ce24440c458762b

    SHA256

    31453fd8f743c19e27f8fa04ee88dfebe95a7884cdfbc15ab0eb8994829aad61

    SHA512

    b17d68cd1e4f1c2fcc7f07de657af144302d4a0cb7b6a0d6bbed4fcd39227481abae73df2d59bf13a31a47b2b6aba820182881b43e638aa00da75ba6b94adbfe

  • \Users\Admin\AppData\Roaming\IFViewer\3210711948\Workspace\FSCommandDLL\FSDesktop.dll

    Filesize

    96KB

    MD5

    1341a69debce0f53dc57699e736d191f

    SHA1

    5ba09963911dc0ea44c4c64015448149588d232d

    SHA256

    5cc04a7ceb1841324c8e2b95a0365c6a38dec7db364fbb09ae5089cdc175302c

    SHA512

    f117f746125100b0c2c58116615a615fe1cc6becfdf7d3ef5981b1cb044b623962d2da89a6cab8ee50967de8e7e239dab009db33a68ef0e15f9bd03738e20bba