Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26/07/2024, 16:29

General

  • Target

    74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe

  • Size

    152KB

  • MD5

    74d4a56cc18a6e84c02706ba4884c00e

  • SHA1

    f3c8300e5bb4913c61cabfe0f080278d46c61850

  • SHA256

    5f90b124f1209fa7871d1024d0f0f618cd131006a1ca1718c4a2bbb93ea1cf07

  • SHA512

    3b90c34cfdfdf7b3e8cc09bd0f96c361ba6d56f86d686cc7e396ea4f15805d02e3bd0111051964c577103029205ecfe769cefe3be483485cadcf8ee17dd56f04

  • SSDEEP

    3072:3ckNHUjeZI2bKLrA4jk2SD1P3ASMog4pjTpVgsV5:pNSeW2bKL1aD1PPMoRjTpz5

Score
10/10

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\winword.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2656
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 312
        2⤵
        • Program crash
        PID:2760

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      d196b35c63a334ad43f17ac04a9de5bb

      SHA1

      8e052ad30fba2d311687e453bdc7a28740cc4988

      SHA256

      d37ad29cb4520f49c9067c0ee99b8abee5bd7e44a96c1ac97bb8938f346461bc

      SHA512

      181f19cd2882684cebce171e18a83f693cfafef2d270f14fc27c38250550607de30d87c42642b05dd7a6656b06d6a85de583d586e6ecb06aaf9bff7abe0a1803

    • C:\autorun.inf

      Filesize

      126B

      MD5

      163e20cbccefcdd42f46e43a94173c46

      SHA1

      4c7b5048e8608e2a75799e00ecf1bbb4773279ae

      SHA256

      7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

      SHA512

      e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

    • C:\zPharaoh.exe

      Filesize

      152KB

      MD5

      d03850bfe9569d9f027e8d5e08176741

      SHA1

      58df1615d8bf2b093036c400603cdb1cd45933b8

      SHA256

      fe84161c4ecd2f5da60d5fd8a45c7a0153ad7cd94b63d2757e35c4d529040f5b

      SHA512

      be8a224bb23c04d5aa6cb329b980ee222d7115e8a7e683a29224a20a4727b5b1ab6b0b5628c7e71d95d64b543fbcf1e11b3fde9e20e09642c50b5ad37f468708

    • F:\zPharaoh.exe

      Filesize

      151KB

      MD5

      aba4475e702a86ce8ab6b484056602c2

      SHA1

      4b6fa3f13485f07b7b89f05a8352735edcd896c6

      SHA256

      b70f922d06473420a733f49f020c6516d81f19cdc873eae94fac11b3ad30cdb1

      SHA512

      88b27c0a512a5c8f432b7bdb3d55fabf76f1be1bb70c47904217871db1da42843a8df9e43fb2ba9efc9aeee6896ce835a14bcfd345df5bb36833cb3d25832a39

    • memory/2628-0-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

    • memory/2864-35-0x000000002FA51000-0x000000002FA52000-memory.dmp

      Filesize

      4KB

    • memory/2864-36-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2864-37-0x00000000710BD000-0x00000000710C8000-memory.dmp

      Filesize

      44KB

    • memory/2864-39-0x00000000710BD000-0x00000000710C8000-memory.dmp

      Filesize

      44KB

    • memory/2864-52-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB