Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11/07/2024, 00:25

General

  • Target

    3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe

  • Size

    200KB

  • MD5

    3700da46b72b0d70032dfc574c9340d3

  • SHA1

    30fb310a0105aa2bf827c764fcbd7d6ff10a6f34

  • SHA256

    15c349a8c9212df0993b43e14ea23230cac772ca9b7a10456d90d20358602229

  • SHA512

    c80df7fc8e96cd02cf8cc819e7fd0d81975e2ca6a26b42b478126f9a179f48cbe30493d6fe0ae220d5fe7c86a7b19371e9ccd9741e7d0bad3b5fec170a9a0267

  • SSDEEP

    6144:SoODFF3JH1ake3Nr/HXPm13QQiI2UOgoo730z8myhzUHqn:MSjr/PmeQiZgoo7E0eq

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Users\Admin\AppData\Local\Temp\3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
        PID:2560
      • C:\Users\Admin\AppData\Local\Temp\3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
        2⤵
          PID:1484

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\A114.69F

        Filesize

        1KB

        MD5

        06808761b55dc9368948266797d2dd9d

        SHA1

        816d01a992342828d550ffbbd929ef21b31facd0

        SHA256

        ece2f8dc6f7e5d05a964575fb17c8f92c7ce26e0cfb53af343a19a5351263656

        SHA512

        05e202a8a19a7e2dfef67893fd2b4f9d664657725950e26f5a6ec384c691f01c94fb04ba0bef7d019dd93fc314f77e17ace1d6d964f5fb69ac77034f0586cd02

      • C:\Users\Admin\AppData\Roaming\A114.69F

        Filesize

        600B

        MD5

        6b042d3ca7a8a1487357e19a440b0ee4

        SHA1

        cf8ed64bb9d7e5afb4349d999e382c64a6e39592

        SHA256

        bba298003728af93b4b3c94e14112bc27ad812c58432bbd7fd4eedc454cea20f

        SHA512

        aa381e26a2972045fab0777b6346803dd947ee5bc4e7e307f22e7339d11eeb831f19fb8fc27cc399baf5db6d0a1822bdf7da738a3984a13eef70e12989931bba

      • memory/1300-1-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

      • memory/1300-3-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

      • memory/1300-14-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

      • memory/1300-81-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

      • memory/1300-187-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

      • memory/1484-80-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

      • memory/1484-151-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

      • memory/2560-6-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB