Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14/08/2024, 16:01

General

  • Target

    96b4efb322e9f719e9da043e26a2bd97_JaffaCakes118.exe

  • Size

    656KB

  • MD5

    96b4efb322e9f719e9da043e26a2bd97

  • SHA1

    3825278830bb9a9d8b3bff6968b9fe730018179c

  • SHA256

    49a6613b3b1575f5bedec9f348d5afca76ce39dc5f867a03aa5750135498b9b3

  • SHA512

    1cdcf1c622a88e0f7c73838a67517f229509dfd9c39359a37843e012901b7c1c56d30897d31c9eb7f6ad8f1f36cfb2e34729954c9058c297a6fa40d4ac8141c0

  • SSDEEP

    12288:R5QepwNJe5vSyv7eTmYcfOT9p9rEf2w0RZ5h:R5Q9lmXOzZEf2w0jf

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 1 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\96b4efb322e9f719e9da043e26a2bd97_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\96b4efb322e9f719e9da043e26a2bd97_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Users\Admin\AppData\Local\Temp\nseF97E.tmp\questresult.exe
      "C:\Users\Admin\AppData\Local\Temp\nseF97E.tmp\questresult.exe" "C:\Users\Admin\AppData\Local\Temp\nseF97E.tmp\questresult.dll" 214660732
      2⤵
      • Executes dropped EXE
      PID:1284
    • C:\Users\Admin\AppData\Local\Temp\nseF97E.tmp\questresult.exe
      "C:\Users\Admin\AppData\Local\Temp\nseF97E.tmp\questresult.exe" "C:\Users\Admin\AppData\Local\Temp\nseF97E.tmp\questresult.dll" unakaxab "" funekeki
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:2036
  • C:\ProgramData\QuestResult\questresult117.exe
    "C:\ProgramData\QuestResult\questresult117.exe" "C:\Program Files (x86)\QuestResult\questresult.dll" nemefune emigazaqay
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Program Files (x86)\QuestResult\questresult.exe
      "C:\Program Files (x86)\QuestResult\questresult.exe" "C:\Program Files (x86)\QuestResult\questresult.dll" ibuxejaqu xitacilaje
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nseF97E.tmp\questresult.dll

    Filesize

    560KB

    MD5

    11c68ce0141613e5334d461052a1f83e

    SHA1

    68a0374e839a4d276dac48ca1dbf24421741895f

    SHA256

    41061830e68af9b6fd1b33fc218016d8ff53edcf5247c590787ebcd4354ed79f

    SHA512

    5102c50be4c6723381c0359f58b5c5ac7077d2de585bf639ed8ec4eb6d65ed46061e6734336ea7c429f0aa2d50545dab36f49ec067d50c242569e097ae7ad501

  • C:\Users\Admin\AppData\Local\Temp\nseF97E.tmp\uninstall.exe

    Filesize

    83KB

    MD5

    b8581e4563421179a21eb5f9daff2380

    SHA1

    99531598663bfaf0acd2e656532d9df44a69e4f3

    SHA256

    79334466126d6e4bf47b1964675c01885a9dbf27541fd72e72aae58f95acfd23

    SHA512

    800e36eeff74e6e0a03d2cb75c71a9460c6fa1cbcc7457301996e20f1e578cf0cf9cba66de8e964bedf0f4a188bd954dc4799c0a87e4d2cea76b8b8e4b92cb33

  • \Users\Admin\AppData\Local\Temp\nseF97E.tmp\questresult.exe

    Filesize

    48KB

    MD5

    b88d605702d92e81c8dfcc5a33841dd4

    SHA1

    44d944a6ca25df041cc914cc329f5ade9592486f

    SHA256

    0e2fade0af3c09ef949cf065411fc93a611b43ae469bd2fc125c9fbe86fe3058

    SHA512

    4075625551b08901527d0ba6d62132d4d94b8807caa1b929a30ec3566b5c8b588e794f8785863c043aed59d0fcbcf3da3bec9cd6b6cc4cf02e0db2f038bb785d

  • memory/2036-26-0x0000000000410000-0x0000000000492000-memory.dmp

    Filesize

    520KB

  • memory/2528-59-0x0000000000340000-0x00000000003C2000-memory.dmp

    Filesize

    520KB

  • memory/2644-37-0x00000000002A0000-0x0000000000322000-memory.dmp

    Filesize

    520KB