Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2024, 09:53

General

  • Target

    6000c6e6fe5ef925bfa0de6b606cf713_JaffaCakes118.exe

  • Size

    288KB

  • MD5

    6000c6e6fe5ef925bfa0de6b606cf713

  • SHA1

    272fd57adc08a4d1c6292fb597190574c3e17e4a

  • SHA256

    04f2ef25ea59fb29ee9c5e4febb7fde42070908e6682ca27ed154bf7fd8c0b2a

  • SHA512

    c878eb1d3da48ca1272cdca6e178f1c0987aad07ada3c3d741a7fa5314af9f5b0da46f3d13ae622d6ee4510f9ab77fdd058e1369dd5dddb93fffcb66258c6e3c

  • SSDEEP

    6144:pgXJUOAgjCbFak5GRuZzDkKn3RbxgT7VMa9YocgEBHBQZUNMhwMMbbWg3jtAD6OV:pyUOPevlB9sZsuEBHBSWbkcn

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6000c6e6fe5ef925bfa0de6b606cf713_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6000c6e6fe5ef925bfa0de6b606cf713_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Users\Admin\cueluh.exe
      "C:\Users\Admin\cueluh.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\cueluh.exe

    Filesize

    288KB

    MD5

    476c148c9ece1bf138159a62b934a7a9

    SHA1

    3d2d4ad28f2263a7dc060866113e3ddc96e4ae33

    SHA256

    a57ed137301e0df5314e565fcca87b22476abf1e57c6da21f845c8ca063b2e51

    SHA512

    cea35ee15d60cffaa97df1529efafc5cdbb1e377d6a197ee5b96daf956355bd91b15086b154cd18a2d233b9ed39d9cbc00b633e342f2ea484a573279aeb95ab1

  • memory/1984-16-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/1984-22-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/3032-0-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/3032-9-0x0000000002B20000-0x0000000002B70000-memory.dmp

    Filesize

    320KB

  • memory/3032-15-0x0000000002B20000-0x0000000002B70000-memory.dmp

    Filesize

    320KB

  • memory/3032-20-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/3032-21-0x0000000002B20000-0x0000000002B70000-memory.dmp

    Filesize

    320KB