Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18/08/2024, 17:00

General

  • Target

    a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe

  • Size

    89KB

  • MD5

    a77ca5793b0e5f4a28ea576cf988b5c8

  • SHA1

    81f7599be4e590386de12b4366716433bf10a017

  • SHA256

    5c302e8ae763e0d918978dacc3031dc4c4425757dd1bfed53f6b776e9b9003ee

  • SHA512

    d5bad9f53fd913afb44d4cad0888b4a71417f81924b8694eb6be7e2394889858e583ee2c193c7d2e1c3d94370c08cb4f6781569c9a1e9d8d3577f4d100e23e8f

  • SSDEEP

    1536:L8dOoemFFLr/5P8MdiEWzHc/toONCoCinYQ13gLspuIJK/k1lJSU5xfO3:6PemFN5GEeH2qAcinYQJgLAK/2F5xW3

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1232
      • C:\Users\Admin\AppData\Local\Temp\a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c start iexplore -embedding
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2772
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2732
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:275457 /prefetch:2
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3024
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c "C:\Users\Admin\AppData\Local\Temp\samEDB9.bat"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1636
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 124
          3⤵
          • Program crash
          PID:1100

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      f18261fbdf81db08239c51ac970de777

      SHA1

      5cb939d01bed3672c412bd6f2802921d485bbcb0

      SHA256

      ed3b67f5c0a80d61928969e7fcbecae95c3ede1b36721df37cf8d17889a2a3ea

      SHA512

      160e6f18f1b4e34e992148ae64a71b40d948b1566bc4a98daafb9e31914ec6a0eceb3427b61dba8046cc220a03b6644ee7e54117a706215032a3198f9b5bff6f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      dbd7b56f31c2d1f0fe9fad7cc8b40da3

      SHA1

      4cb2409d0524513f0ef21c79dbd468ac0dbbec8f

      SHA256

      3b84091d2286b8cdf32f30a6ab0b634347b4964b46cf59d4d8a381eb3385efa7

      SHA512

      007d09ddfa1ec4b92deeaeff69d624db006f667b936fdd976da0d289d4617e51f3f089c70722ca74567f66a628c9ca5495991f3bd9e094e37313f23e25074a90

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      6bf4e62db9fec1cbfd7eeed27f642fda

      SHA1

      8005e059aea04e51f987df327ee1c4e6e5fa5f20

      SHA256

      d520562158d91e3de3d4b0fdddbfbaacc6b32dfdaf16765f3614ccd14ae97af3

      SHA512

      f928489ec40c71812de8f9a1809643fdb0f3588c6f2b96ec6b583fc258d99d2238c9e62d07ca1fe805b47032966d53a859844d95d359c8c3647d92d0f8d3ab62

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      ea54c7f53f0baf8ea1c2bc207901e0f6

      SHA1

      31fc7f1a4e16da2f73ea9378a49eb3dcc285bff3

      SHA256

      5a6ec8026422f1b5a94d3dd58b435dbd1d575cc5647869d2d4e00e0ead82c456

      SHA512

      0b83bbaf72ed4fcb3140550e48c354a556acff88137f86396d23eddc2ec848ecfeb36c7d25c03b785962ccb2fbf9b9cb3f845d8fedfe82b6fc4ca84468692319

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      470224f0e5ec7a6db1f8b84c53893059

      SHA1

      8ee0b84dad8845ba200808bcf2b7ea71f9c18414

      SHA256

      de574857c664c8849b99501c780974f78ea24aee491520aeb6b0f9f563b78684

      SHA512

      dd5c364baf92368a62ff40069294a8a0b5c34c0ee1a58229a832c951ab3f5400689a0146e4edee212f3709c3c4969e20ad718a8ff21554c94968a5f23be64489

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      884c293ae3df69eeff68342210ffbd36

      SHA1

      5f4b5eba31633b7dd0c1566d8f6189d72ea65ec8

      SHA256

      a85ba3e0004a4ac480f96e0340b7201b2bc3a5b7875173df88ca4a6366cc49cd

      SHA512

      f6c3c571e46a8d2a6dd8ae33aa7377760bcfa00bfca424106535350799c69b5a44050e33898d0ddf21e4a1ce12231e0eee36f1b9c5f059b559398ab87b187174

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      a654cb48e048a3b007376121a336ad92

      SHA1

      1b14142069dd4afa48a04d4676a1b7354b9ba681

      SHA256

      3db2e2ab45f15a97fda01c36994f59627715a66975101ce38d57c266411ea99a

      SHA512

      40ee416d7e9f28db3eeb9f7c8aeb02111613d8dd9cbca236d87019d8ebb54c66ed9e94123a3285a76cda1cc9a234fcfeca2987793eb6b7137f72ebb5806f32f7

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      6250461c7427ee33e82920959666908a

      SHA1

      93dc6fd17c7e1596a0186f634e6bdf54d5c29da6

      SHA256

      64e5adcc86e8ef7a0065c34e6528d58abaf60a885d551e3deabaa44021dd9020

      SHA512

      4e94d12dae6d7f15c5d6a2ce67eb7fb0fb0d50b927f96ee18d455e01d178a0acaf5770ec5cd1040fd4568c7e3a10dbf532e0588fd018e72a4479e84b746a049d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      fbbcafa326850d3e5146fc621f52f14f

      SHA1

      6eb2e6e38e772504666ee6c9d0112f5275aa95b3

      SHA256

      e4264f6a256c0be800d93af40793e1846ddef2d62b8bd8288197b2ace64895db

      SHA512

      6d700643898c8c8b836af0a970925493d2a2a78a571531b895deace60a7be7fbcef9625400fdcfb988523391d4cc9ac0c5b74f0e355531e3288d5eddbf5b3f42

    • C:\Users\Admin\AppData\Local\Temp\CabED8C.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\TarEE3B.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Users\Admin\AppData\Local\Temp\samEDB9.bat

      Filesize

      188B

      MD5

      9ea94f51296269514773ae716967faa0

      SHA1

      d09a0d734089994f86b18c4936044c79b7e54801

      SHA256

      831c6c96f14e2c193f76d21d6486e7dc7af6c4a1a871823b6083b7cf04eaebcb

      SHA512

      9c9f6259a69090b97eadcfab41fc474e972b4511050cc12266942da4fb3be1b2de22c486c5c0807b51260c05b916b7a09056d24118c9f0525253959ee378d570

    • C:\Windows\SysWOW64\winjrj32.rom

      Filesize

      62KB

      MD5

      879f3a89a30ec3b2eb0844fb4d9f3611

      SHA1

      90c9f4da9bfd40d6556d32791692f5d45f193af6

      SHA256

      f002661e6690ee0d51d43e397d42a60b3259e4a5ca44c5d78db548c48d42b149

      SHA512

      41f64b84f71cd1a024d69f21e5c28b305c3a76e30eb8897bd51f5c6cc0dd4d1768edfda754b84cecb1b6493ebbe5d7374362e915f77560fdc215257df0ef3001

    • memory/1232-22-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

      Filesize

      4KB

    • memory/1232-25-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

      Filesize

      4KB

    • memory/2372-36-0x0000000010000000-0x0000000010015000-memory.dmp

      Filesize

      84KB