Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02/08/2024, 06:06

General

  • Target

    834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe

  • Size

    156KB

  • MD5

    834e4fb336d864affdd5a03d7a930905

  • SHA1

    4a09c7569aa4a3fcc5a862b2a1b795047d8cf7f9

  • SHA256

    312efa97a99740c006036a7771bc29ded76709e61f285cfee5c2f1caf52da694

  • SHA512

    1541fbc193a6765f020c99eb983c03f93258394055a688bbb6b372135bdccb809843169205e38ede2f0b36ebd5ce9aba3b8ee98d155f3ef17f14ff39d2c7e166

  • SSDEEP

    3072:Y6AOL9lqh+NzQ7Ql5YLrPcb+T9loA9wHzWO9Hmlk1njaT:Y6AuVNAQrWcUoA9wT7kkV

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Users\Admin\AppData\Local\Temp\834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\JBORE.bat
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2820
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\RMBEG.bat
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Users\Admin\AppData\Roaming\{admin}\iexplore.exe
          "C:\Users\Admin\AppData\Roaming\{admin}\iexplore.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2604
          • C:\Users\Admin\AppData\Roaming\{admin}\iexplore.exe
            C:\Users\Admin\AppData\Roaming\{admin}\iexplore.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            PID:2252

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\JBORE.bat

    Filesize

    145B

    MD5

    c33f56c62e07c5b69fb4a1f181a3bec4

    SHA1

    e736a92c32f330a35f5efdf4fe938f9b10f3fe68

    SHA256

    008c1aaf5af78b882282f256f276883aa9a152b9c71ab990fb79ff7d0368e93d

    SHA512

    7c32f47f06cdc5248261830dca62adb5be5a0bfa5724eee294702b439b69507fd33ee8dc50ef97994bb9571a51ddde32e1ce1b70a4b69a89f26b1ff02075ff0a

  • C:\RMBEG.bat

    Filesize

    53B

    MD5

    717473935c780a6d872923e441179ad0

    SHA1

    e52edaa1fb65498fd7f9cfab709e89bf4e6e9d91

    SHA256

    ae6d39e6b875d9ad0e3726f0e76dcc1694987a10630b42641998929e8361a116

    SHA512

    553a250edf1458e298c319db622c26a49cdab873b92dcd44970f86e407b38c44478cb870683c7fad7e863d29c30a483d47c0e5ac486bb11c03ba76ce16c3dd40

  • C:\Users\Admin\AppData\Roaming\{admin}\iexplore.exe

    Filesize

    156KB

    MD5

    834e4fb336d864affdd5a03d7a930905

    SHA1

    4a09c7569aa4a3fcc5a862b2a1b795047d8cf7f9

    SHA256

    312efa97a99740c006036a7771bc29ded76709e61f285cfee5c2f1caf52da694

    SHA512

    1541fbc193a6765f020c99eb983c03f93258394055a688bbb6b372135bdccb809843169205e38ede2f0b36ebd5ce9aba3b8ee98d155f3ef17f14ff39d2c7e166

  • memory/2252-60-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/2604-40-0x0000000000640000-0x0000000000793000-memory.dmp

    Filesize

    1.3MB

  • memory/2764-14-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/2764-2-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/2764-15-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/2764-12-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/2764-24-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/2764-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2764-8-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/2764-6-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/2764-4-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB