Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11/08/2024, 15:34

General

  • Target

    8aed4fef70cc9f4842c3a011c85981c7_JaffaCakes118.exe

  • Size

    26KB

  • MD5

    8aed4fef70cc9f4842c3a011c85981c7

  • SHA1

    902f4a051f9336335c63a1072084979f646e23b1

  • SHA256

    34b61cbe71dff76ba1cb1a081bfc97aa46f0b2c00ce4cbee92f4b01c9a57e146

  • SHA512

    e3efea9b8fb00599ae1edaca47127bf8087df8269c421819f58b2db636bcc65c54b59a896b9d5ef485f4669b9951328f1e78a57aa46f1e29766695117a2fafa2

  • SSDEEP

    768:rUgIKI0QN2HKiJFIDJqI82oRZaP4XmhjSFY:QZK/HLJ0qZaP9jSC

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
  • Runs ping.exe 1 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8aed4fef70cc9f4842c3a011c85981c7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8aed4fef70cc9f4842c3a011c85981c7_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Windows\system32\wicheck080513.dll" myjkl
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\mycjjk.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Windows\SysWOW64\wicheck080513.exe
          "C:\Windows\system32\wicheck080513.exe" i
          4⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1392
          • C:\program files\internet explorer\iexplore.exe
            "C:\program files\internet explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2888
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2888 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2052
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\jkDe.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:836
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1232
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1084
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3000
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:532
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2768
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1892
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2784
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\jkDe.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8875dfa9fadbd7154c78d7c78c546615

    SHA1

    30ae5712b63df582e029f5e9db7e1aa68653da8c

    SHA256

    214c299a729a55b7229752fd643c9e4ce26f96adcc4b36a2e5762e62f5478299

    SHA512

    22d677f5eb7fad67d8abc5166b63f38926868fc7b4c2d47daaf1d83f001c2bebeaf127cae30b275b74b83149305891da71e9b7192dfca52aa5eeb800b5f93688

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    af0a1f57e613eb8d62f0bb3473c79d71

    SHA1

    f7de6551d9730ce870064db66a75a5768c27573b

    SHA256

    f5fb614a5bde94438f1d885aad4edf2e5add5c1a43f9ff9ce3502c1b8a3c0a59

    SHA512

    073182ccd939dfbaa13de36d242379fef92359b1839de166102ce54d53ee5aad4c42c87d94de806822d4ad60c54e5add2190aa5d2c8d11f9fc74fc130df532f2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    39c4bc0af41b37539e9f07d2c5e8e79a

    SHA1

    db554a46b8829b4998be3a1aa3c4a204ace8fdce

    SHA256

    915dc873152829231776187964f128338026f62b198d2ae2b4d744ee7762ba0c

    SHA512

    f9121f9bc75d66ee8959509904c0fc95787d4270cf69ecc489cf5ca8618c5f32d491524794ac354d880bbef4758024db48d1d286181de53efcdebbabb394e8b0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f39511b750e3a91108de10c9446d804a

    SHA1

    fef21d1cd03f8e1228e3c5864eb5ad26ec40c674

    SHA256

    a2286e63319d21f085c354a747f81a3d4a780683fc0833e081e6177684c65a98

    SHA512

    2ffc7303a5f7943fba102f1d309b613ca9e0b3708bcbe21b9865cd37f20ae709f28fa8d3deddab2a718c1a43aff5dba659651e7884af43c68f731a0b24b7818f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9760707196d3309c77259a47e338c602

    SHA1

    da1e7de133c935f1d379aaebd841a7fcb0a41ec7

    SHA256

    ede1c9742e7dea5d3c60bb75a0fd33752397e33fe36e7ff8cdc5233d4aa2c415

    SHA512

    897da276beda1adb799173b7e0cf3b105d44e0ba56f0a61dee2852c2e974e7b0fc78a4c09cf3668e67506c118a17398c51b4397c54b2a2bc7ecda429f6c4a5be

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    755b39e48a8871520ce6f980efc7f0af

    SHA1

    00efd29c09091ffbcdafc87612ed989979776bad

    SHA256

    bfa12ecafb6da592ba46d7b70626d60a00f82345d7d215e41f13f563cef71376

    SHA512

    3dffcbdc90cc87f356333a2e18067a1aaa5c45fdae63a031571c95f326e5a0d5615426731e5cee1a8a0867eb6a25ea1e08e0c94260eeba277f66876aafa79b4c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    15469dcdcf423dcd9e7a62e4c189e8b7

    SHA1

    7dc103aedb8fd2864916c459fd566cdc48cef06b

    SHA256

    16cc86f014e78650fbd382b11b94acf62391dd7aac3f1e98eef0dfebdfa68df4

    SHA512

    ee9cb032e4bab1456463b1f6ff6f7b53c59516eafd6aa85547369ff5a6ca99dc501e404a409dec47ed0a63dae87bbcfd7b702cc34922ac21140e09a631c3299b

  • C:\Users\Admin\AppData\Local\Temp\CabBE24.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarBEF2.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\SysWOW64\wicheck080513.dll

    Filesize

    28KB

    MD5

    4d67db9ff8e2714f603ad0437f30d10e

    SHA1

    9c7a039b8c6b8b4067d6e049221c9f97d3a62a18

    SHA256

    6bf84b1db64d46cfb9f11450560153c0b4a7297d7aa29c1948754e8c51eb22a4

    SHA512

    9c21bf97c60cf399e81bc3477bb36732611e7ca1631bfec47bd842dd46a6b2743c5d5683a1d6dd100841e28ecac45802ce6dd93d7579eb27663c9e04709baa6a

  • C:\Windows\SysWOW64\wicheck080513.exe

    Filesize

    26KB

    MD5

    8aed4fef70cc9f4842c3a011c85981c7

    SHA1

    902f4a051f9336335c63a1072084979f646e23b1

    SHA256

    34b61cbe71dff76ba1cb1a081bfc97aa46f0b2c00ce4cbee92f4b01c9a57e146

    SHA512

    e3efea9b8fb00599ae1edaca47127bf8087df8269c421819f58b2db636bcc65c54b59a896b9d5ef485f4669b9951328f1e78a57aa46f1e29766695117a2fafa2

  • C:\Windows\checkcj.ini

    Filesize

    139B

    MD5

    586098dd2c11cb63f915ac3208e56f09

    SHA1

    8ca2b8c8df35a8c817d450652e4cde5b4c1fb25c

    SHA256

    abc712cb0c4aa774a10dc737c97b6c384d9c3359409e7a5f43c9d79cb8ce2750

    SHA512

    55853a033d81d7ac119cb9b3574fe46418f1d146c12a4aaae3190e2c7ed41d7386f0f437162df9fe54142b1ab502ea81bcffec6102c6672acedd682caafa6f14

  • C:\jkDe.bat

    Filesize

    233B

    MD5

    8da98cb92caffd889faa22d567ac56b6

    SHA1

    2e0352090d42c0fb46a4115e4f892ee6830b1050

    SHA256

    9eba4ba7689f364315a64d1982ef6e90d5d52410b3cb5ae6efeed19711997e68

    SHA512

    4e9c6474821f7c6abb2b5ad210944e1a79cc65014600275424b787cff42b2aef2207ec1a53e48c58e9747774f8e9031fcd58ec6f7a34034705ed6736c9fb4da7

  • C:\jkDe.bat

    Filesize

    139B

    MD5

    086f4ed328a1c7dda89fafbaa31aee95

    SHA1

    7c44ded50be4c880bb11d875ed1a04c3424164f2

    SHA256

    17ffeb861fcfdc1e93a93604e044e9e9ad2779588c268b352321c267014b7bc5

    SHA512

    095d721b743da82f9f7797f23d1666e7c3ed1ce4664b3621f3d132c1185fdd35f311723f277693203dfbdeed3f27f7caeb842c5f2f8fa3cc2a5798323eb9602c

  • C:\mycjjk.bat

    Filesize

    51B

    MD5

    356488514f5ce5218bf13d343f4f0f5b

    SHA1

    5e4569c804470be74a4523172c5a9291a9950c84

    SHA256

    e6ae4bdf56f355ef9d34951e9da3681b584248a5f83c2e74c852ef9a9ce2e411

    SHA512

    4803dfb661c63e66699efe6abbc149f5f1c706cd9b430df1f7d8e5558ae55d35be7cb37ce27807b1e25100536d401cd8f48dffdb333cb2968f31d0eb1f6346a8

  • memory/3020-52-0x0000000000170000-0x000000000017D000-memory.dmp

    Filesize

    52KB

  • memory/3020-31-0x0000000000170000-0x000000000017D000-memory.dmp

    Filesize

    52KB

  • memory/3020-25-0x0000000000170000-0x000000000017D000-memory.dmp

    Filesize

    52KB

  • memory/3020-12-0x0000000000170000-0x000000000017D000-memory.dmp

    Filesize

    52KB