Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2024, 05:59

General

  • Target

    a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe

  • Size

    24KB

  • MD5

    a9db6c03c9ddf1ca0308c40781c11f43

  • SHA1

    68cf505a3e033a3b863fe52b16fea2cf6347aa16

  • SHA256

    bf0b459c3c9d8a26636157fb8b9c693df0b75f7ded288ebafe8d6374853176fa

  • SHA512

    86562dd907d42da3c422ab7230f298bab68fe35669e828782b97e66a2d23a07fc41906fdf4d780443c5f5803067f6dae4a21ed6081cb67234b022e47dcabb2bd

  • SSDEEP

    192:teOtaGSJAeBqaVKwlf3e4gbZdH0dHRdHwdHPH1SdHB18GZCju11K7kvBPOnT3Uvb:MMGPVx3ehVqrmuJk2VvBR

Malware Config

Signatures

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 8 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 42 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe"
    1⤵
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\LSFPRN.EXE
      "C:\Windows\LSFPRN.EXE"
      2⤵
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe" C:\Windows\iexplore.htm
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2984
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Windows\iexplore.htm
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3024
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3024 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b68106da0e4cbfe37048c0d6762d8cb3

    SHA1

    3d0fbf7ce18e9d129bcb2b484d8935254f8d369a

    SHA256

    4364cf3a9ee3df8b25a49758751d307d0d61765b9ca436676fe0e01a1548eed3

    SHA512

    731cacd7b1eb1b6789d2c1a52b7c77d315b2bab7ea71d16d64f8dc0a264bfe49133b8df5d0382b3a9e7485b68d33a8df2b0efe6602351332ab52e675efd6032c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c4216fd46abc0fd54da3290f076b339c

    SHA1

    f94ea94e4dd37ddc8b6e28ffc59050d0819bb06d

    SHA256

    e8dc5ff427172e0a6e2ef39b3e045f6a05db2dc2088856d156f6f5bbb4263899

    SHA512

    7eb51d51688a11bc7d0d278aa64fdf44bc4afa4bf5caaf31326a82db9634c2ef617b3a1b2f3459ef0fb0faed474710455d8268a887bf12d095d13d0847938fc2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    02a7206c1463b6fb4fc3071606aa2462

    SHA1

    9538afbfbe4496154e1668d981db9b60d25e4812

    SHA256

    e5db993b89a1f5467f5154dd0fbc3e17b4482fc0bf66541cd6f2eb07a5a3b519

    SHA512

    a424b79e816aacb2e39a68634df05dd6efce7e5eeeef26d27c13311412a4b3fab79c9c2796c8cba06bad2a2cc040dc27934eca5ad5c571553a89a3b8d7614cb8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    44578384ce890f73f5071bf1223aadfa

    SHA1

    ab387c4f053cb30bb00cca6214cd9e6f761feae9

    SHA256

    c1b0672234941ba6078e2c99650b160103045c8492773985e8032a31ce10d181

    SHA512

    5b0e94c2baa3b81d5b72366f2c9f600146c76c50cdcc58da5b27a08947b51e6cf8c679aca573ef01983cd72ad2cde43f20b4e17307831192be0c4bd1c5910342

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7b5ac8adf7754e1794424442186d4979

    SHA1

    2d38be2d7523d3041fe5538e757ad6444d7da0d7

    SHA256

    38def028ba9324d987657be6744c0e9eb6e1743d37a58d8d74fc5a86985c82c4

    SHA512

    af1c7ac223e350b88b1e231032a2a491b6ff3803c90e630a7d0b79b67b4644e426861a78072cb933b4b80b4b1c9b0f8668e5f15eb4d2639b90df652fec909b48

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f717b1e7301bac425a36082441067a93

    SHA1

    f88c42c69d78d09f8b3fd93656d33310316dd53e

    SHA256

    b8dbb53e0e8ffb0fe9bd11507f67aa2047961412e6c42d2ce4321b0885f74459

    SHA512

    3bda331f707aa0e138dcdfcc35b1e3f8aff37080cfb8a47fb2d821f981cf22214d1d867b3ebb2dcaed245e47f77e61de54182fd6045a0f6f2b4638dac9a384ad

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fd3b68f699cb863c2cf93247fff83d1e

    SHA1

    66e23bc1921ffa8f2924e13500f2ff3359ea9981

    SHA256

    ee3f8c3e949d7dc6ee53686e65c2a0be3abb76d7d6054f7b108baba5f82d8c6d

    SHA512

    38fb1fe3c2105b76c9578422a74888de019ce3d25d9b475387070bd1f249c11010179e2bfa82d04a996b9bcdeb53a0a5c84e9ec27217feff6e615de963278185

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fdc1394fb84f0b500651275d7750beff

    SHA1

    38155a261958d5f6826d3c28b65b3a5698d91acb

    SHA256

    af7286768ecf9f22aeb90c70d2eb6f35bea50e43abd9a92e64b9eb7314d2ae9a

    SHA512

    2d40423f2841d9cdf7f802ffbda330a8f673b8002c9755baefe072c63d6c9cc09f147727352a52a9e71b50d524846395160e99cb012bd074d47466a070de0ba1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    689996ca8922f40d3afd26490f579849

    SHA1

    c15fbac213ec4a1821d810e34e4ca7f8278ded8b

    SHA256

    002910dac52cc2b7a1beb3606897aec652acd0f2f36dfb2a0180042037ad6dd2

    SHA512

    5a282fd16d35c07a9cc884ebb28aeb8e293258e089966ddc91d72f19596635c44dd330ea461baf102ad3ac626e115b8dc98b754967bf9125f1915c1fd05ff36d

  • C:\Users\Admin\AppData\Local\Temp\Cab4FB9.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar5058.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\LSFPRN.EXE

    Filesize

    24KB

    MD5

    a9db6c03c9ddf1ca0308c40781c11f43

    SHA1

    68cf505a3e033a3b863fe52b16fea2cf6347aa16

    SHA256

    bf0b459c3c9d8a26636157fb8b9c693df0b75f7ded288ebafe8d6374853176fa

    SHA512

    86562dd907d42da3c422ab7230f298bab68fe35669e828782b97e66a2d23a07fc41906fdf4d780443c5f5803067f6dae4a21ed6081cb67234b022e47dcabb2bd

  • C:\Windows\SysWOW64\44upd.dll

    Filesize

    256B

    MD5

    7fc27f0eb3c1ab6ef579f4ef0ac12774

    SHA1

    d04c43eb42a01467e1bb8996de0160e959d50079

    SHA256

    a0aca3e8c478cbe4fd866047007bab97099b03512841c67fd139df62e47d6f02

    SHA512

    c7706b6ea625da5aa968f4be791127e1faea3a00f458052210158d685666241bc15175b55d14f569493026e7cdb8c36d0892e284e426125e45c9b77abed89379

  • C:\Windows\iexplore.htm

    Filesize

    1KB

    MD5

    1d47e608ba041a2325a1eab479180bf4

    SHA1

    7316d2d1a0fc1ccd6d1d4530db63ca55167c16c0

    SHA256

    843ad1039e884b2dc398b7db77ea920e7853b8490bf2960dbf14882729435899

    SHA512

    3fae7d2409d8a2cad5f0370ac93a373d874d5a83d9692fb10012e4d587f9e77c1c25cfc55a2b18d39308ca734b385abe48f28411aa197126b8ed4b6264b35e15