Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    15s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2024, 18:04

General

  • Target

    35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe

  • Size

    54KB

  • MD5

    35ce5b9c0ab70d49eb9326ebf0dffed9

  • SHA1

    10ef0c6dc944bfba8d9dddda5bd5af62937d95b4

  • SHA256

    58dd01a3b49d3df61c8ea1b884e7a7aca80712937dffbeaebc6edf697231f9b5

  • SHA512

    99bc00ef26fc57fb86c6ce18c2bded4187e91dea9bda339773b3b7d6019315a1277aafe4b3c9a9b46e17519aa2f93080a8dfa00e08e9e3213b3f448f4a0a0034

  • SSDEEP

    768:79T7DkxBos1wirNyI+wVtTWFSlu7GwKYRnkbFrFeZs81HNQBMpc08i1vlpWxCRzd:VwBoYw+v1tg/fKYRixFeZs806b8GpZZ

Score
10/10

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 8 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\SysWOW64\net.exe
      net stop "Security Center"
      2⤵
        PID:2160
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Security Center"
          3⤵
            PID:2176
        • C:\Windows\SysWOW64\net.exe
          net stop "Windows Firewall/Internet Connection Sharing (ICS)"
          2⤵
            PID:1716
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
              3⤵
                PID:2752
            • C:\Windows\SysWOW64\net.exe
              net stop System Restore Service
              2⤵
                PID:2028
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop System Restore Service
                  3⤵
                    PID:2696
                • C:\Windows\SysWOW64\sc.exe
                  sc config NOD32krn start= disabled
                  2⤵
                  • Launches sc.exe
                  PID:1952
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /im nod32krn.exe /f
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2420
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /im nod32kui.exe /f
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2852
                • C:\Windows\SysWOW64\sc.exe
                  sc config ekrn start= disabled
                  2⤵
                  • Launches sc.exe
                  PID:2948
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /im ekrn.exe /f
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2952
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /im egui.exe /f
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2956
                • C:\Windows\SysWOW64\net.exe
                  net stop "Security Center"
                  2⤵
                    PID:1888
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "Security Center"
                      3⤵
                        PID:3012
                    • C:\Windows\SysWOW64\net.exe
                      net stop "Windows Firewall/Internet Connection Sharing (ICS)"
                      2⤵
                        PID:2820
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                          3⤵
                            PID:1804
                        • C:\Windows\SysWOW64\net.exe
                          net stop System Restore Service
                          2⤵
                            PID:2920
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop System Restore Service
                              3⤵
                                PID:2912
                            • C:\Windows\SysWOW64\sc.exe
                              sc config NOD32krn start= disabled
                              2⤵
                              • Launches sc.exe
                              PID:2904
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /im nod32krn.exe /f
                              2⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2884
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /im nod32kui.exe /f
                              2⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:676
                            • C:\Windows\SysWOW64\sc.exe
                              sc config ekrn start= disabled
                              2⤵
                              • Launches sc.exe
                              PID:2972
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /im ekrn.exe /f
                              2⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2900
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /im egui.exe /f
                              2⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2872
                            • C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
                              C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
                              2⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:2768
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c del C:\avp.exe
                              2⤵
                              • Deletes itself
                              PID:2392

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • \Users\Admin\AppData\Local\Temp\SETUP.EXE

                            Filesize

                            11KB

                            MD5

                            09c035dfbdf04171bc71a995236abb68

                            SHA1

                            f80479f5bf04909f517d8a08efb62957eedfcf34

                            SHA256

                            b58c462933d5317808d4a69856d9ee8968ff76dacad1ed9dc823d6b4e4bf93c7

                            SHA512

                            85c7375b8d591a8de9894419ce122b7f0b2e9e7c36c1aee52bd7eb1cb95558125a3f9ba432b001ccede9f401453905bdd1e9df1e536720e4053315ef98365394