Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2024, 10:25

General

  • Target

    601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe

  • Size

    182KB

  • MD5

    601b85cd6d088bd86d9d21e8f54a2fed

  • SHA1

    8cb4059305ae688fdc02e296f445a02784e01108

  • SHA256

    1c666eccfe50dc191a32e5c77229fc791e89fa6e5d1ebf235a1c13d5a2225030

  • SHA512

    4e035b1227de2eef0b4f5f0ef6ff6c78964c6303c2fd5ad6e7b85b41bcf1b733aafe403bcea2466d46269946b4ec5365269b59a6615236915d056d834b994032

  • SSDEEP

    3072:aLbPRzNoP80lMaV5Q93DKAJjjH6bJjtpivAk12Ln/2IeWXE5MV6CWiqD89SfIIUy:+MP80lzLW3DJJP6bJjjoH1o/2lW020CS

Score
7/10

Malware Config

Signatures

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\system32\winsys.bat
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\SysWOW64\PING.EXE
        ping localhost
        3⤵
        • Runs ping.exe
        PID:2812
      • C:\Windows\SysWOW64\taskimg.exe
        C:\Windows\system32\taskimg.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

    Filesize

    717B

    MD5

    822467b728b7a66b081c91795373789a

    SHA1

    d8f2f02e1eef62485a9feffd59ce837511749865

    SHA256

    af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

    SHA512

    bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A9311A43BB35D90CA31DB0B353DC2084

    Filesize

    503B

    MD5

    2ed7ba52dde93dbc327035f6c6c7dbd3

    SHA1

    e6e98c6c74d0abfe96d630c52740e0817d335c47

    SHA256

    9dab07e4e900aaa46e1ec20563a6a1bd44911e6e42a15db49295892c797fdf10

    SHA512

    d161ee2d4718665c36b3b299e089f21908fe6c7b14e87e5b49e139cb73a5c8fbbe294c24b731812f06fa78e641741b06e24e33be2edd0772ff4ecf9180582192

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B739B29E00001B3AAE62EC8865A3C7C2

    Filesize

    504B

    MD5

    e38d8b1a26aad6db08ae45fd0a90d10a

    SHA1

    e8e6684dc7d685cd34a40ca129eece51505a0cf6

    SHA256

    1c1ec960d19541b732b6cc767b7f7cfe66163c83f5e2fc4652dc773b7192ad4a

    SHA512

    c0cede8e29d942236750b30b9c487566fa310c1dde82d7e5aac6144f82108048fa3991e2277eb4cd23af40cd09b3989ae849d13497971cd0089c6e5874380337

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

    Filesize

    192B

    MD5

    cc656c5d3676eb16f17a07c138e5ddf5

    SHA1

    c5621f8466800ff969e1e1d62eb105f17b6e0fd8

    SHA256

    a3ee5706c483d516b84b13e90a767d172768d82670a58b0656d6c3951c44981f

    SHA512

    ce6090d7f41bf1929b572b839645b36a6256cf1de6df15d868438708036e39dff2bf092988c264086df03973d68c69e411af8d5eab67bf474e1b650a96acf1f9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A9311A43BB35D90CA31DB0B353DC2084

    Filesize

    548B

    MD5

    c08fea725f64a3111a6a4e87b550824a

    SHA1

    84cb3b559ca2b8fb3e52d3abe2f0e8883017a331

    SHA256

    7156f951ce32dfa16ed5c4a6b6ec7f4749949faa2ecfa90ea6c70cd34a5979e3

    SHA512

    117240ea4cd96dedae89426776458df21bc544f168e1b7c9a903729f3e547b0f465684fc9ada5ff15432b0480d1c30ccc2e8dc3b146d80e9dd229fcab4f98193

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B739B29E00001B3AAE62EC8865A3C7C2

    Filesize

    550B

    MD5

    f6b87a978adb8a1eb126dfc004687f04

    SHA1

    90d1e0b6672ba3dae67f99518ac7ea6f724ecffd

    SHA256

    3f321229a4c8e166fca385a0036b6920cfaafc4716b2e559c0b53c833738215b

    SHA512

    fee3f87d0d5729550cef0356f397f055f316abd53cad76100c1808b655f583a7502592a56799a9a7d35f84bb18f6c333cad30c38a4e1b8827fe87c68a353d831

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NFAY0EOS\revisador[1].htm

    Filesize

    322B

    MD5

    a62b0493438fd61d0cde8dffc3a8616e

    SHA1

    07b00bdf8e858c6c3fc06554f6c5fd4955c5ab43

    SHA256

    9820da6718489adaa1ab2ada6f043af32870a720f7589d6e44252d9a8001d7fc

    SHA512

    a10c56ed5ab7c372140fb52d245d034d772328dc6649ebe45e86a4cf7c887e39b5d2fc26455a080891d81769d444cf2348e621edc0a07b2cfb482e979d1cbf88

  • C:\Users\Admin\AppData\Local\Temp\Cab6410.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Windows\SysWOW64\active_url.dll

    Filesize

    34KB

    MD5

    bf23b8211a7154788bbafcd6bb19c027

    SHA1

    61cfa125b60203502b95778e2459da3b771acfd2

    SHA256

    b55b066aa7acddfd4dc39411927ba020afb1e8abe7df56c4aa50d1c841c7cdcc

    SHA512

    cb41eeae5701c9f28270bb0f979c03619bd31c8a7cd90d985650008578ed50a3407cd9b54abfb419217e018b442d0102d035ade93e301f6d3fc6d48e6a0400c5

  • C:\Windows\SysWOW64\winsys.bat

    Filesize

    73B

    MD5

    cc498e91d17130bb2da47fa2c635f09e

    SHA1

    e01d7c7a67f50ebb7da552fc27a6555af253f61b

    SHA256

    709b45ebdc8e80db1d3df44e0335004cc8f43be7482010ee0732ecf923ec172e

    SHA512

    32cf292949760129a6767ddaeaac2b8595e682903883963c7a9e6da0b9269035f235164fb5cfc61a9e32b74a0beb57b0123ed350679923b4021b1838b8b414ce

  • \Windows\SysWOW64\taskimg.exe

    Filesize

    182KB

    MD5

    601b85cd6d088bd86d9d21e8f54a2fed

    SHA1

    8cb4059305ae688fdc02e296f445a02784e01108

    SHA256

    1c666eccfe50dc191a32e5c77229fc791e89fa6e5d1ebf235a1c13d5a2225030

    SHA512

    4e035b1227de2eef0b4f5f0ef6ff6c78964c6303c2fd5ad6e7b85b41bcf1b733aafe403bcea2466d46269946b4ec5365269b59a6615236915d056d834b994032

  • memory/2556-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2556-30-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2688-36-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

  • memory/2688-60-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB