Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14/07/2024, 13:46

General

  • Target

    46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe

  • Size

    120KB

  • MD5

    46143d2dcb939fe3cce62ea2c8401aec

  • SHA1

    6d9b033fc1571793a90f9e4d99305e3f137dd811

  • SHA256

    c920c5c4f7b71c16aacfddc895cae009a222520ffab21ee19017256d87e1a26d

  • SHA512

    00e0bb6db40c5b7c111cfd3f3d3923213ccf9c76d00802f1b06aea35e4eee66a3ccdfdd264d110e25cad6636a40eb87866ffea0d4e869aec2cb34a13d312d560

  • SSDEEP

    3072:hGN9qJK8zxBf/+L8Cabilf6N4wT6o8K8GthgB/w:W9ixBebaE65

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Runs ping.exe 1 TTPs 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\ff.bat
      2⤵
      • Deletes itself
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2776
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2960
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2724
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2580
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2708
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im snss.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2236
      • C:\Windows\snss.exe
        "C:\Windows\snss.exe"
        3⤵
        • Executes dropped EXE
        PID:1484

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\ff.bat

    Filesize

    581B

    MD5

    df0dcc0c8115b89296f85865537891c7

    SHA1

    a107b1947f6095c984df2639f148d699cdf86b66

    SHA256

    94d454be9f4bddf2bed180881bb90b75c6eb4c8f3b87b0960c8057ecdae87020

    SHA512

    870c34fa985f8ee2d683e261fce78e3b59da494f36d54ee52bc1bb6191233c8ba6b8aeb334bd09b11d783a9673b9d52358d1a63782a1e6d075348040490b6a73

  • C:\Windows\snss.lnk

    Filesize

    1KB

    MD5

    5d7615797529e6dd071408b25e1237fd

    SHA1

    d3c4519a655f5c1d5159ee24e69dcf4b21b45f56

    SHA256

    92728ad86d08de628ac876ad263e08d1f74a7df48bb01e9937e4ad801315c1a8

    SHA512

    5321fc66cfb93ae135aed155b823576fb65d5e468dfc7ed31167550305aa3ffbe0a15e2028c564e0c469ecf1baa4897007570d179496a335f507c09477743e29

  • C:\Windows\snss1.exe

    Filesize

    120KB

    MD5

    46143d2dcb939fe3cce62ea2c8401aec

    SHA1

    6d9b033fc1571793a90f9e4d99305e3f137dd811

    SHA256

    c920c5c4f7b71c16aacfddc895cae009a222520ffab21ee19017256d87e1a26d

    SHA512

    00e0bb6db40c5b7c111cfd3f3d3923213ccf9c76d00802f1b06aea35e4eee66a3ccdfdd264d110e25cad6636a40eb87866ffea0d4e869aec2cb34a13d312d560

  • memory/1484-22-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2312-11-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB