Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2024, 05:18

General

  • Target

    5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe

  • Size

    770KB

  • MD5

    5f2aaa3458a8a94a91dd71586935b2b2

  • SHA1

    a16221e31c960dafe501a3fca7e394d92c0e0682

  • SHA256

    af351378c41c581f1f9b8fb2d80090e4aa1ec844c417eb0ebae479be4cbc6ce3

  • SHA512

    fc3a35ba008523cb21e4006b34e5fcf7e8935471c4ccf40661737dad62f5de4acc0e83f8d7692517e93488b06290edb913a0e9f9a790c54dde06bdacb055e094

  • SSDEEP

    12288:0krXV6E2/ZX7kGRE/E2HjwZCSBcbn68wGhQ4kkR7DaKAa9VSaQwBirzeF58Lm32:XF6E2BX4qByk4vwGhQ4w+BomWY2

Score
8/10

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Users\Admin\AppData\Local\option.exe
      "C:\Users\Admin\AppData\Local\option.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:2400
    • C:\Users\Admin\AppData\Local\scrss.exe
      "C:\Users\Admin\AppData\Local\scrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2992
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c syscheck.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V scrss.exe /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2096
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V scrss.exe /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f
          4⤵
          • Adds policy Run key to start application
          • Modifies registry key
          PID:2976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Option.ini

    Filesize

    353B

    MD5

    34f21c84d701e9c9f70780e52adb1de9

    SHA1

    51bf0edd36084a1339551847cd016f32d500b357

    SHA256

    1fc5f81e15c3747611c33f26441ebd0c4f57b2baa7756d5cc718a7f8358890d2

    SHA512

    abbe67d3ce94a134c67fe4dc473e49f5a8fcda20d1c699196431c44bd533949c3c26e1b51a5bfd4806dbdae17adf41d479052509a147afe07b3cc30db97dd5f2

  • C:\Users\Admin\AppData\Local\Temp\syscheck.bat

    Filesize

    168B

    MD5

    0d92b381efa1a49bd3cc2cf3ff28bd45

    SHA1

    23fac6be89436f94a4f8fca5057be514c787b9b6

    SHA256

    b5b5a4055d2b10d9e6af0580c28ee9099632cc36eaa946ce442f65a77ee92e84

    SHA512

    78b611a37cf21a0bb26204f0f3057b5d800be3c2ad8190af06725e82bdcc883473cb0087f1f7bc8c0199467d14282ea92d340421d8bf796f7e45451727f66391

  • C:\Users\Admin\AppData\Local\ntldr.dll

    Filesize

    92KB

    MD5

    8a5e40eb6518353e5758e5b237897c78

    SHA1

    dd452e565485f48c2131dadc40a32b0d3007cef6

    SHA256

    5f8ba5c1522847452d92b507770bfb454548d8a02232040c6be4323792400d4f

    SHA512

    c941b82c3bd6be61506ac9215ab8e26983a8654444703b5a0236739a3b50a498ed0c65054b68481c026123d88b0f0e9e36f92b0f0028b4cc034345ec17f3b268

  • C:\Users\Admin\AppData\Local\scrss.exe

    Filesize

    237KB

    MD5

    c8c37aa823da020c7bc6c86752e2d3f5

    SHA1

    9c8dcc78b838ba7cf33160b48dfd7a061ff1318e

    SHA256

    52e24c3734c8656dff8603d706cf711bd63fd120d19633e7c0c4568f54e249c9

    SHA512

    b2129ebd8205e6bd4be4a34e8f09a4e0c0f2882cdde7afe631206d76ea50799fae8be61cbb4ebf8af3f5b883d852ec5fbfe868ab81007d46deadeded81316a63

  • \Users\Admin\AppData\Local\option.exe

    Filesize

    232KB

    MD5

    81834d4397b63bd30f869289df27e810

    SHA1

    0a969151a4b1f227be7c7b4643f44eff32d3e5af

    SHA256

    343e9ecd7836063440cf7e3d7002af182047fbde667e6d2eaae9021975385452

    SHA512

    57e52f62b9f1922a2a5e435f461387cba50bd5a6fd93b750c98d3a69f806264416023c7fc5f31f118110fb8d729cdcf6c0516e7c3a496b5040876a1999e684a8

  • memory/1872-32-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

  • memory/2400-31-0x0000000001D90000-0x0000000001DAC000-memory.dmp

    Filesize

    112KB

  • memory/2400-51-0x0000000001D90000-0x0000000001DAC000-memory.dmp

    Filesize

    112KB

  • memory/2992-28-0x0000000000230000-0x000000000024C000-memory.dmp

    Filesize

    112KB

  • memory/2992-52-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

  • memory/2992-53-0x0000000000230000-0x000000000024C000-memory.dmp

    Filesize

    112KB

  • memory/2992-58-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

  • memory/2992-64-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

  • memory/2992-70-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

  • memory/2992-76-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB