Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13/07/2024, 16:37

General

  • Target

    427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe

  • Size

    149KB

  • MD5

    427d98ce83712423dd5f06af0ef50b1c

  • SHA1

    c2fd6446feb577bd8ee2d463f09bcb3455fea73d

  • SHA256

    922ed7eb780628227c566eec0d2dd7a3ec26d2f631edcfd555ff0eba3f65a925

  • SHA512

    9feac20193dd044712b5d837e372e284cea9a065ce427413a5fae89050fa3897ea1cff3a196aa6e96eb6d23e5dd4588b8756b9c82d17a816af4babc5c083bd86

  • SSDEEP

    3072:WwvyIUMmPhjAXRE0Ck3fGgOABWToz/n71dBoTlROl5KI1EGZqO:4MmPhjKRPGOlf1o3Cp

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Users\Admin\AppData\Local\Temp\unself.exe
      C:\Users\Admin\AppData\Local\Temp\unself.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 68
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2324
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\招標項目.doc"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:284
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2648
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\427D98~1.EXE > nul
        2⤵
          PID:2764

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\招標項目.doc

        Filesize

        29KB

        MD5

        6c77f20529a7bb180a5005421f422952

        SHA1

        1b43ae9ff2861721ccb726786c363b24634ca429

        SHA256

        31ef3fcfa28d0f5cb10d468b58755b24078448ac5c0ff93a8ab09b20527a7bfc

        SHA512

        3d397b442bc1887053e9779acc9f477917e8c9e39c6e022deba36da422a6cab9bc3070cadb65a3c34434d4b32729e5b23f837552b61ad9f71047475f44dc8041

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

        Filesize

        19KB

        MD5

        7574b7fdd4d5bc68a46c7aec2c64b78b

        SHA1

        3bee93d044bef2a4ed8a4fcf3860204c5f0f2102

        SHA256

        19c9d492ee15622064427a00088c845322099ffe93f0b7b62b5e0447538d6f82

        SHA512

        479f52523c2a4aeb7d5511f4c29c04f7f950d11fb5e1555d6b82b8c96d056e67ddb3ce093ff40236a769104ec4c114e60ec74f62791e574bb163041bbb044ef4

      • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      • \Users\Admin\AppData\Local\Temp\unself.exe

        Filesize

        88KB

        MD5

        de84a438ef886bb834923b4e21dc1236

        SHA1

        d6652d76167118b616f36ef41fe9a1d03c468bed

        SHA256

        e537a97377d368fca1d9c2431f38d3c227d06a6a588fc0ea0d4ee47ab53162ce

        SHA512

        fa3e3b42bdb58f2922567fac2aa99652c6e94539839ab58d522f8ff5080ced3d380017493637d4a041185b778e48549c8182ba5bc00e2b49d5269f219eaa5e90

      • memory/284-17-0x000000002F291000-0x000000002F292000-memory.dmp

        Filesize

        4KB

      • memory/284-18-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/284-19-0x0000000070B5D000-0x0000000070B68000-memory.dmp

        Filesize

        44KB

      • memory/284-29-0x0000000070B5D000-0x0000000070B68000-memory.dmp

        Filesize

        44KB

      • memory/284-44-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB