Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2024, 20:59

General

  • Target

    ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    ac8d64159f01bd2beabb491d3ade5804

  • SHA1

    6a910e8241c2db1b3352ab71f764718f60777315

  • SHA256

    d06eed697b1fd60b51f083b5f186d0dfc081355bffd02f7fdf72b89e2ae9552c

  • SHA512

    b11d16e75ab391b893684cc068f9a5948bd3980a37cf50370ed0848bdfdbf4790433e03a84ffa49ef431773a5642a2d93244b7ed801aa3c6ef9ddfb2278e40ce

  • SSDEEP

    24576:BkuFhCwUuqDluBMfEhJX3z5mKhwbLeoMbd:PhxqDosEL3F/w+bd

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\smes\u.bat"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\ProgramData\smes\smes.exe
        smes.exe -install
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2776
      • C:\ProgramData\smes\smes.exe
        smes.exe -start
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2868
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\temg_tmp.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2668
  • C:\ProgramData\smes\smes.exe
    C:\ProgramData\smes\smes.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\ProgramData\smes\smes.exe
      C:\ProgramData\smes\smes.exe -run
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\kingsoft\kws\kws.ini

    Filesize

    720B

    MD5

    ffc3088dc68b14616fc334ce25f7c4ec

    SHA1

    83ea5e504ba582fd0db81371888b2d2d36012af8

    SHA256

    f39e009b78bbca138cf7ca72023390afe0e9ab1980eb0e326e637186a1249872

    SHA512

    b3c29e4513ba21d9588661eeffe029bdc5a2317cb3345cbe945f50df9688732d478e614e67a64f87d9cdf2c284eaeb9c497feef69ee71a621f4fc009bf1c09b4

  • C:\ProgramData\smes\KWSSVC.log

    Filesize

    202B

    MD5

    631f56bd7162a8bb8448a132b9f9b6c3

    SHA1

    9a819f9add620259916538e5f53d6a16c8b83141

    SHA256

    f44be399b223ed8aa0e07646db7b25fef991556372b5cfbfe6c670a6a8a7410c

    SHA512

    625285307d57e435b76595aa13decb9d2b2c1606e082a5e9481dad667e223151c9733ee2d6dd01d46118f043d5d7c41e3f45dfa6bd9aa2b831e225cf2a183010

  • C:\ProgramData\smes\KWSSVC.log

    Filesize

    448B

    MD5

    6208b710e9d857d0e596d2b85def06a1

    SHA1

    73dc89826e33e7e68d978d449f327ce5e10b760d

    SHA256

    b3309a16aadd3bdd7ce36342512f909776bd3d90a5558f9f6385fe6c23561a68

    SHA512

    c68a2a890d6349b3777203ae25c3b71d939d9810ba92a6b1c55f1c5b9b583065881bfacf1b4c7aa0b5fce8baf144c0e4bff87e61c17d665abdaafec5f9ae2e46

  • C:\ProgramData\smes\KWSSVC.log

    Filesize

    546B

    MD5

    39c069cc2db290d42a620a84026a226f

    SHA1

    fa496bebeb99ed9fd28be37060c76b8798f11d2f

    SHA256

    7a60385deb9d8e576770a33dd229bd53b83dfb90640e2677d8883fef86595b6c

    SHA512

    0dd6f9eaf1135fbe616bd6cbf594066b9a0d08273ba614be207e212466ba28cdeaf221c21fad5a56555ad88c66de3f54e05cd53b3d811a4ecf505c5b5e9ce917

  • C:\ProgramData\smes\kswebshield.dll

    Filesize

    441KB

    MD5

    7851449473178f9782263d51bc5e3bbc

    SHA1

    ad5148ee1bed2348b320c62c025d52fbcbb28799

    SHA256

    c3bc7ec8428f0bb210a0597c9a0cad1be412b7fa46ea006819a3df9ac23118b4

    SHA512

    b01fc37ac84b81df8d7657000295aed7eb50aaf7f13ab2b2be9030c9f83ed1559318c83c78b4a29926d7d30e9eea9538d123ef4a649179be5a5b54ee71ed9b49

  • C:\ProgramData\smes\kwssp.dll

    Filesize

    425KB

    MD5

    bf5dcfd9da0514334d41cbd80d2a9138

    SHA1

    802f9e0b82edca56be08a33b2ba874b34c31f1e3

    SHA256

    f9506cf9a87aa6bfbf07f2124f2785a711b27a70839ebb95bdd4b2cf747fb060

    SHA512

    246796f2e201cde30043eaa2c0ffb4d2b3bea2bae97261a022824c31a42d2b08998b1bdcd436e8392bdd153dd6fadf9ba69361c7316a6bfda5d475678b7aa5cc

  • C:\ProgramData\smes\kwsui.dll

    Filesize

    433KB

    MD5

    45199dab51eeece95728abfe25e18f35

    SHA1

    59ab0fe25aa2adc253adbecba6862e7432df1c39

    SHA256

    a22006861cac6a849346282e2f7729deeb8f68bf29f13c15ae33d20311f77391

    SHA512

    825c6ae1f88cec3d6c469e6a15cad0430845ecc8d436777092f4c5fe8ecd02abbfeb3e2a17b2f4896b9d6e4b2d229a8b83bfdda75a3e025fc32f86610c6eef12

  • C:\ProgramData\smes\u.bat

    Filesize

    44B

    MD5

    704efba1aee1454561da552dda430498

    SHA1

    d20fb96683f769eb9cef1b0a068bcba70aeab9c2

    SHA256

    80b08d35bd27636e0774ce35ab57306f76edc6a0f7058cb1f93733cdf88bf94c

    SHA512

    7e0c9ede686238703af4893af8842c05c48ab1681ae273b32d8085cf1a17aae946c0c823a0a418787522a551d684367259ff8203ebca6e4ec69b6ded95231bd0

  • C:\Users\Admin\AppData\Local\Temp\temg_tmp.bat

    Filesize

    135B

    MD5

    24754f38c37910d748a5dd1c45daf9ab

    SHA1

    62d87cd516c59039c94a5426e4f630c142931fa3

    SHA256

    63cea6b342ddff35ec0f99411d689533282132f079553dc4d504ee3143c9dcfc

    SHA512

    8de5c6df3b62f28dee31f647dfb05c7f54a34bb4946d54b1184e499c10b34472f58189474bfb72c4755cbb87e04fd064c1ec7acd20c79d511371bf09033e6aa2

  • \ProgramData\smes\smes.exe

    Filesize

    209KB

    MD5

    1fa47f5b173cee5ef9c3ee1bda0c321e

    SHA1

    60ee40236f960affb01d569a32e1b05888bb081a

    SHA256

    b21526716068d2a8550780038e2b5ddb843d77890a07ec82ed9ce9dd0be52c64

    SHA512

    01f39376269a75510347fcf66ff2585b25d5e6e10e26b7feefa3af66e712a5f50c62bff6d40abee733e1ce965d17a2e443664838268eb7c7a2e36fc1c024224d

  • \Users\Admin\AppData\Local\Temp\nsoFA09.tmp\AccessControl.dll

    Filesize

    10KB

    MD5

    055f4f9260e07fc83f71877cbb7f4fad

    SHA1

    a245131af1a182de99bd74af9ff1fab17977a72f

    SHA256

    4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

    SHA512

    a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

  • \Users\Admin\AppData\Local\Temp\nsoFA09.tmp\FindProcDLL.dll

    Filesize

    3KB

    MD5

    8614c450637267afacad1645e23ba24a

    SHA1

    e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

    SHA256

    0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

    SHA512

    af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

  • memory/1908-5-0x0000000010000000-0x0000000010003000-memory.dmp

    Filesize

    12KB

  • memory/2984-56-0x0000000000440000-0x00000000004B1000-memory.dmp

    Filesize

    452KB