Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26/07/2024, 20:51

General

  • Target

    75ac95c69ee5b6cd50e2c4903a068f26_JaffaCakes118.dll

  • Size

    476KB

  • MD5

    75ac95c69ee5b6cd50e2c4903a068f26

  • SHA1

    aa80a94ed17869dfe2ec18ee18ef6051f7836805

  • SHA256

    4e4bc1e6626ef7099dee44942e4350e3b1d327689fbbfe708705950a8be62d96

  • SHA512

    b9c30aa22cebfc5a832803db26f42c0607be94afb57d38ad3fcf3c39a2df636f78c93bade1ebf49ca49a0bafc2823f713d729629703683d6ad551f1ef2d721d4

  • SSDEEP

    12288:xFY/nud2glrDhcLrfJ/p/To0vp84nCrMlUDcoSmkq/u:Q/8l/OHJh/UuxCrMDoSmkA

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 45 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\75ac95c69ee5b6cd50e2c4903a068f26_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\75ac95c69ee5b6cd50e2c4903a068f26_JaffaCakes118.dll,#1
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4bl4.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2932
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/c6cb.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2708
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/353r.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2664
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b33o.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2680
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b33o.dll"
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2876
      • C:\Windows\SysWOW64\36bd.exe
        C:\Windows\system32/36bd.exe -i
        3⤵
        • Executes dropped EXE
        PID:2792
      • C:\Windows\SysWOW64\36bd.exe
        C:\Windows\system32/36bd.exe -s
        3⤵
        • Executes dropped EXE
        PID:2616
      • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
        C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1204
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll, Always
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1344
  • C:\Windows\SysWOW64\36bd.exe
    C:\Windows\SysWOW64\36bd.exe
    1⤵
    • Drops file in Drivers directory
    • Executes dropped EXE
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll,Always
      2⤵
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:1996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

    Filesize

    124KB

    MD5

    7aab5729d4ac87fa5fcd76b76300c839

    SHA1

    6f0d5332dd8df552041a1d90b6717fd11cd81c52

    SHA256

    1cf290260ae6b4e3fa67678a600be2dcd95b95955329fa7c129c42d6bf96e888

    SHA512

    379a4d6e4dd5fd0ea309255aa2796d225d8f45730142143c17e0ff0e728dfa039b85fd329f938ac81e6018d1dff1f15dbde998fab5a960bdb39253060421d5c6

  • C:\Users\Admin\AppData\Local\Temp\jfnw\tmp.exe

    Filesize

    116KB

    MD5

    4851b0ca3412021e53572d57001abda5

    SHA1

    c2df70e48e49e206a8413ec7f96613bf12805903

    SHA256

    792f9d77400246168093ba6ed5b71acd0bff52f3b211807a7623843fac9d283b

    SHA512

    7344c68af6f6f431919484f6b17fc9b1a5973d0030a3d62d0bb3df30637fc2f40d75a1fdf3a3f68bd7ea6c1982c4c238f7ebbcd7a07848befe19a837b15bdd74

  • C:\Windows\SysWOW64\36bd.exe

    Filesize

    164KB

    MD5

    ff8d8fd8842cdcc696fb1e3a69fb53cc

    SHA1

    28dec79c9d7ebef1db99a33acd22d43f684873f4

    SHA256

    266ac340d111712438cffa3073cf2e64f1e11a052ac9a1cae02c27d2ad95bb30

    SHA512

    f60e667aca91dceb128e986b5a02cb066d3eaa59e20509210831f2eee4e752466e4216d08adf69016d0f2e16644cac46cec22006b74b3fdecdc7c0c18d89fd1c

  • \Windows\SysWOW64\36be.dll

    Filesize

    491KB

    MD5

    0d594260366695bc3695a316c948f7fb

    SHA1

    68db8a83768ed89ab343a71dd74069a0d64c463a

    SHA256

    6fd8d9a14edf10c360c81d96ac29fdc2bd08805402fb452a7937abc10673236e

    SHA512

    6f0304fce55ffc9867546bb095ae855f9ef46649719cd050b2bf75bd07378d05f98eaf4592695689de205f89ed7ed610c15bc266d1fb4498a4d302b53c1a71df

  • \Windows\SysWOW64\b33o.dll

    Filesize

    192KB

    MD5

    ee3794e1178de6dd216134b84732e8ff

    SHA1

    b8975b019af515288688460dcfd202acd79cff89

    SHA256

    81fddcb7c6582d0b2e03349d00633b9a9d74998ee3ec5cd7298f6a63b2b0efd4

    SHA512

    ad05526f75394bf08e69b9251b29f60c2260c97d22e5aaff3ff433003b493b20f2950d259e57857c7fdc570b21e782c66dad37c916372c2f5f814605ca43fa73