Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    27/07/2024, 12:36

General

  • Target

    783b7ef48c143c666f9fcb4dd739dcab_JaffaCakes118.exe

  • Size

    76KB

  • MD5

    783b7ef48c143c666f9fcb4dd739dcab

  • SHA1

    2bad918412e368abded112374f73e740801824ea

  • SHA256

    aef2c9cd0e13058d9df670b898c3f2b85467c403dac2eeb4ac73cc33efa7ec26

  • SHA512

    0c44116ea662bc195e3362641aee93e17264eea52ce7599ec8894cec620d95ba7a93c9695dcd37af20f91af23ddd7ad2a8e9a71ec6fd3bbdcdd31f19ee981c3d

  • SSDEEP

    1536:fweqbQV6iz9dbIgc//////ChYg4c3LaOywAfd3PDcCgqjw0JVfPsxz2wjV:f6U6ynkgc//////C6c+OyDBTtvcB

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 8 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\783b7ef48c143c666f9fcb4dd739dcab_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\783b7ef48c143c666f9fcb4dd739dcab_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\SysWOW64\net.exe
      net stop "Security Center"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2252
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2336
    • C:\Windows\SysWOW64\net.exe
      net stop "Windows Firewall/Internet Connection Sharing (ICS)
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1820
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)
        3⤵
        • System Location Discovery: System Language Discovery
        PID:848
    • C:\Windows\SysWOW64\Net.exe
      Net stop System Restore Service
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2160
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop System Restore Service
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2268
    • C:\Windows\SysWOW64\sc.exe
      sc config ekrn start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2700
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ekrn.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2760
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im egui.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
    • C:\Windows\SysWOW64\sc.exe
      sc config NOD32krn start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2824
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im nod32krn.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2832
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im nod32kui.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2880
    • C:\Windows\SysWOW64\net.exe
      net stop "Security Center"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2660
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1448
    • C:\Windows\SysWOW64\net.exe
      net stop "Windows Firewall/Internet Connection Sharing (ICS)
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2788
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1620
    • C:\Windows\SysWOW64\Net.exe
      Net stop System Restore Service
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2796
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop System Restore Service
        3⤵
        • System Location Discovery: System Language Discovery
        PID:308
    • C:\Windows\SysWOW64\sc.exe
      sc config ekrn start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2736
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ekrn.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2560
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im egui.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2116
    • C:\Windows\SysWOW64\sc.exe
      sc config NOD32krn start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2864
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im nod32krn.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2672
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im nod32kui.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2056
    • C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
      C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2656
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\_uninsep.bat
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2876
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\_uninsep.bat
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2976
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del C:\NTDUBECT.EXE
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\_uninsep.bat

    Filesize

    128B

    MD5

    518f996fb53ecd3d3748db8708c21908

    SHA1

    4c8834441fdcb4898d9d0607e9a9dfd2477a8bfa

    SHA256

    3770f9b5c752a17164ac0a8d361b01862ab186c2732cb659ce2519280bec79d4

    SHA512

    7ac8e8066ceefebf7dfd83ce877461a45ae0b1802883ae7b319c5b756cc65a4a58814370d381ec97338a9c18f49bf7966430f6d72ff2e27d6b844a56edfab6c4

  • \Users\Admin\AppData\Local\Temp\SETUP.EXE

    Filesize

    10KB

    MD5

    2b6d4988f6ee560e6b55c2e0f60b9edc

    SHA1

    47d74390150386fdd2a6afc90c49bd4f00dffda2

    SHA256

    d7be7452d1ab413ce22504f85dd043b256b56e624543753001d11c2e437fdbe3

    SHA512

    bb06039f27ec3fbb3d0ff020a219e8f4a0ea4e3db0472f673a9eea683a85cf365ad1ddbee7279a972395769fc9b4be4c3db701a3470de819480ba9e286871af3

  • memory/3016-0-0x0000000008000000-0x000000000801B395-memory.dmp

    Filesize

    108KB

  • memory/3016-19-0x0000000008000000-0x000000000801B395-memory.dmp

    Filesize

    108KB