Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2024, 16:20

General

  • Target

    357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe

  • Size

    147KB

  • MD5

    357a71bc43621cd13d8019d8eab8321e

  • SHA1

    7ba961decbab63775e375fe476d2678caebee4fd

  • SHA256

    c05aaf0cb3982fac7c2fc589bc9504e1ad660294a5bf2a9e3b9b2717416c8602

  • SHA512

    6943b1aca8fd0c93a787ec8b3e781984436f1463cc3e7dde81667666569cb66b9b896b255553eee36c7bc82fabeb900fbb89fcbd1c7950d64accc5ffc2cc1846

  • SSDEEP

    3072:tOCn1rixFxB2MtsHQvjcPs1+nKYkdoqrhyK4gPVQDr9IF2q27iR1+aJe1mgawzx+:tOCn1rifm+sujcPsInKTtPVQGF2q2OR5

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\tsrv.exe
      C:\Windows\tsrv.exe s
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:2660
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\System32\notepad.exe C:\Users\Admin\AppData\Local\Temp\252D.tmp
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\252D.tmp

    Filesize

    77KB

    MD5

    bd174a5a29b0f2089bc617a67173f652

    SHA1

    832fd0f92a65d4d2da8d3960299e8266426002a0

    SHA256

    c6b0203adda8656526fb6d647daf9bfb23ada22ffc25c10dd4b11f802f012d24

    SHA512

    54694eb9208bab3e932fcf582997d2159559f1e05eb1d2d33324535f66a9a990dfb4e959c6efec34a30955c1807aa3d38b17b1bf3a833704ede69ebf6efa39ee

  • C:\Windows\tsrv.exe

    Filesize

    147KB

    MD5

    357a71bc43621cd13d8019d8eab8321e

    SHA1

    7ba961decbab63775e375fe476d2678caebee4fd

    SHA256

    c05aaf0cb3982fac7c2fc589bc9504e1ad660294a5bf2a9e3b9b2717416c8602

    SHA512

    6943b1aca8fd0c93a787ec8b3e781984436f1463cc3e7dde81667666569cb66b9b896b255553eee36c7bc82fabeb900fbb89fcbd1c7950d64accc5ffc2cc1846

  • C:\Windows\tsrv.wax

    Filesize

    3KB

    MD5

    55bdda728833660485c58e09e5204bac

    SHA1

    cf1035bf2c757d5e4c2a6e094ee3bed3f87fbfe8

    SHA256

    7e0bdaa325d01c142651f8f10391a30e067256a88780261af991255dc87ab4eb

    SHA512

    3637d45ac9865c8eade46713fd0172f9d35d3ad9894eb48bb9c441132e918fd93164f9e3b233e2cf5ceb4c4066aa07ecb39a4024592def1a34cf56cc1353babb

  • C:\Windows\tsrv.wax

    Filesize

    240B

    MD5

    b0ef5d4e0f2dcc800a789479b9309952

    SHA1

    09c1fd646b05fd07d67a9f74b2b85608552d657e

    SHA256

    576b6aa0c32569f2e4d8f83ad65c61e4371775e177450e36edeeddde25b23e68

    SHA512

    57a407bb29a96afe7282ded3ead5b33f1d5c19fe46be5bc15780781fb27aafbd4cb3d1568be8bebfb6694429e4b4dd53037905002f67fd5a091a80de89878b57

  • C:\Windows\tsrv.wax

    Filesize

    680B

    MD5

    15e64d0ad7d79bb7101929b1721b5685

    SHA1

    a61974413b6ed6947be982b6a94aff0749e30422

    SHA256

    46f28afb06ef8f693406228e9c2aec680df81daf84d982b578e5b7ad7fef7fda

    SHA512

    56269a50455f56b5e56a77e4f756290f6a085c782ddef84279699ad706c796aa3b6645926ca48964cf86044ac7e995dac9c39b33fe49029143501aef762b87f0

  • C:\Windows\tsrv.wax

    Filesize

    1KB

    MD5

    db22c67f40d581dfa5de962ce72bff41

    SHA1

    65f41151bca8ceb1f11e92963118e9cbc9486c74

    SHA256

    2c81a4c846b050a27b91fbd2c299a2301bf7f76b82954adcb292910f1ef51bd0

    SHA512

    c8e7ac853869cf5a665c7c1da3214503933d8571cdcb9601288be9d5e039e525d8b16a26ee199d8ce4ee361f46c05579fb4baf07f97db995c863edc25d3ce0be

  • C:\Windows\tsrv.wax

    Filesize

    1KB

    MD5

    592414500eecd8b2e9fada8fb73cb9f5

    SHA1

    0564606125a56c9526b1e3676050983d267d1198

    SHA256

    376832bac902f44040f75b33b7efb38dd02a576ea2d98834c8913aa44ab063a4

    SHA512

    8dab0a691de35897416c85f447d9153879c37387154c2879d8d186251f19558ceae31df5dd5c6878423aedfea3b5575c04d8bf1fbf42a4dcf5e4bf66a9e5d5f8

  • C:\Windows\tsrv.wax

    Filesize

    2KB

    MD5

    40efe64910cbae16b1e6c9105075b337

    SHA1

    1e3fe7890863d3c46f4e2f65ffb452664e35a72e

    SHA256

    95bf3c36f8b9c956cd78ddb8be4107351a23032c34b2cec2b5bdc87da001d416

    SHA512

    e60e142f946d130971df5a13ebb73d5de1bbc74c105ac7827c234c94d5bbaef6406f425ff5df50360cda08733c5c6686982389ea92b1e732634b27aeaaf7034c

  • C:\Windows\tsrv.wax

    Filesize

    2KB

    MD5

    dbe2fcd767dce69ff7f8705062f60451

    SHA1

    f04dd3c43d64db1979c1ca9885fac3d160b0c301

    SHA256

    cfd84a42846392794a64469c3104c55f1332442a66a5414cbbb738b806d64077

    SHA512

    68eed67b1fc9374ada57532318978abe28d78034c87574d5280a24eecd0b30d3fbe358d1f8a7b5288de39d200555c34b2583989def959dc4aee6bad8dff7187d

  • memory/2660-18-0x0000000010000000-0x0000000010004000-memory.dmp

    Filesize

    16KB