Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14/07/2024, 04:48

General

  • Target

    445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe

  • Size

    108KB

  • MD5

    445e8d5e7bc9e7d73b1189c2567ebd41

  • SHA1

    3dd1b3fd60befc25cc6358c4bacfb9aaadb1a6a6

  • SHA256

    79cf60976b460063d4eb8f7e83039aebf18dba16c50a787d191e72ecfefbddfe

  • SHA512

    8e4c292cfe20bee8e842a5d00985800773a546171c321d8c06ac9b6740a14ca08dc6a1a6540d65bd17fc17be2bf7a2babe00a07a4cf7e684970c15dffc1662a9

  • SSDEEP

    3072:IgXdZt9P6D3XJbCifHK1tjsITcqbfH7TtEz:Ie344ifHK1JxcEH7G

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ff8wfHZYn0.dll",Install C:\Users\Admin\AppData\Local\Temp\Ff8wfHZYn0
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /e:on /d /c ping -n 6 127.0.0.1 && DEL /F "C:\Users\Admin\AppData\Local\Temp\Ff8wfHZYn0.dll" >> nul
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1424
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 6 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:2256

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Ff8wfHZYn0

    Filesize

    1024B

    MD5

    6499956889099f048bd8394fc3cca7ca

    SHA1

    22c48f326d2eae410239e4a08582b1830cbf3181

    SHA256

    f121459547bd348063dac8ed5424e97bad30b880d5499edd66fb8af26022f921

    SHA512

    f3ee3e9c72de3b0563ae7817b451e4bbd1a517a51a2de9c61279e4145524397555b235c217e8512121ec7d7e075544aad970c3d8a3fb610b70e045c8664c33ec

  • \Users\Admin\AppData\Local\Temp\Ff8wfHZYn0.dll

    Filesize

    89KB

    MD5

    7a06cb307f802c120609c0b3c1e963a9

    SHA1

    2bda4b275422ea6138b12efaeefcb9e279f1de95

    SHA256

    292340cb04147497e7828986c55765e24bc863ab8e3066b317d78032beab984a

    SHA512

    a38c7cfb714859ddca000390bae3c4dc5a4cf88db2e974168bf1270b0740568630ce2afd63cb6b663c7df9296a97d2c0dbc0968b2eaaab74487cd179876752a6

  • memory/2796-11-0x0000000000260000-0x0000000000274000-memory.dmp

    Filesize

    80KB

  • memory/2796-10-0x0000000000220000-0x0000000000239000-memory.dmp

    Filesize

    100KB

  • memory/2796-9-0x00000000001F0000-0x0000000000204000-memory.dmp

    Filesize

    80KB

  • memory/2796-7-0x0000000000260000-0x0000000000274000-memory.dmp

    Filesize

    80KB

  • memory/2796-15-0x0000000000260000-0x0000000000274000-memory.dmp

    Filesize

    80KB