Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20/08/2024, 01:39

General

  • Target

    ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    ad68925c8de4f346723ddc172b416e4d

  • SHA1

    80553a650296fe664ea25ca567ae85353517f1a2

  • SHA256

    218f6f03046a19ccbdc91f45959eb43def38bf11fe296c5ca57192ab5454d5b9

  • SHA512

    a464c8026407c0d1d8912e14022109d1a72d445f4d1cc9ab0878f19d21f332baa8a2e500a81790f08862b9e1bd5f7984a0387ea1a6bdc0200ae182c65156d2c4

  • SSDEEP

    24576:dy/PLameAu9Spf5Gb7PLg79JLR8rdegEjrObHXa1Kkdi6CZQroBUc:d+LarAu9qRGbo9H8rGUHXs/fCoW

Malware Config

Signatures

  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • Modifies Windows Firewall 2 TTPs 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 10 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 47 IoCs
  • Modifies registry class 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Windows\SysWOW64\EhStorShell32.exe
      "C:\Windows\system32\EhStorShell32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe
        "C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1712
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\chtbrkr32.exe" enable=yes profile=domain
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2132
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\chtbrkr32.exe" enable=yes profile=private
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2736
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\chtbrkr32.exe" enable=yes profile=public
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2676
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 420
      2⤵
      • Program crash
      PID:3000
  • C:\Windows\SysWOW64\chtbrkr32.exe
    C:\Windows\SysWOW64\chtbrkr32.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\ProgramData\EhStorShell32.exe
      schutz
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\142250261

    Filesize

    30B

    MD5

    c2389ed519f1079d9b472acd9b8d2b5d

    SHA1

    e678f8dd6c817841178a44be438c0d60ea93edf0

    SHA256

    1c0e6439f8fd7634fc0e0eec37b471945f97b736054d117902589723dcc621a9

    SHA512

    2c26cf40619593fe4d365f14a3e56ffbb3c889d1f9fd7e925e63a84ca31c4f0101b76515becbc831eee20c02ed413b2f921729bef8ebbffbd73d2cf3a67ea786

  • C:\Windows\SysWOW64\142250261

    Filesize

    118B

    MD5

    95e03b888e2a8e4bd54813052d14add6

    SHA1

    25a1f3c013df44792dc18ee6762155c5b9f5a1cb

    SHA256

    db20a5eb7f17ea7917fdd49ac8c5a257a0403441ef3a632e1f2a1ed991421630

    SHA512

    c2873a365e00f9eed6d849729f4f1cdd8a73dc19ed1e53202faf3e4e763f9366d6632601cc2edde68fabe825e594797fe4ed3a75839fa285a957ad2c9ecd25c5

  • C:\Windows\SysWOW64\chtbrkr32.exe

    Filesize

    1.3MB

    MD5

    ad68925c8de4f346723ddc172b416e4d

    SHA1

    80553a650296fe664ea25ca567ae85353517f1a2

    SHA256

    218f6f03046a19ccbdc91f45959eb43def38bf11fe296c5ca57192ab5454d5b9

    SHA512

    a464c8026407c0d1d8912e14022109d1a72d445f4d1cc9ab0878f19d21f332baa8a2e500a81790f08862b9e1bd5f7984a0387ea1a6bdc0200ae182c65156d2c4

  • \ProgramData\api-ms-win-core-localization-l1-2-032.dll

    Filesize

    237KB

    MD5

    89bb9ca773905940857029d2ebbaf05c

    SHA1

    7e54d91335ccfc6a71133b009ff967b260e27a07

    SHA256

    49ef211378801ab5697f63be3724f7be9b1059ca9ac3fd2ac70f803240c81dc6

    SHA512

    939c11450a3c2277be8ce1ce8ece1963ce8585d8ac2f94bb568b96c9ef769e11944e7e9a8d4f829b59262f519357eda142a4bdcb0ca454fd60f6df153c360737

  • \Windows\SysWOW64\EhStorShell32.exe

    Filesize

    201KB

    MD5

    2f7a846ff1e1107d0e4294aa1d258422

    SHA1

    c3e23bb7cacae31ac6dd462345a40dca2489f512

    SHA256

    d4dd7b5a74766aae1b4821dcd2afddaabb3e25ba109d3ba74ac3989458928d37

    SHA512

    f8e31fa3f8327dcb2453531bd4a8e3940418944881088fcce240d8a8e8bbeb593b6ebe6dc69057dc3b95f5bda8cfdc2ea2d0e6869f6e0d646010393033da48c9

  • \Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll

    Filesize

    404KB

    MD5

    259772a6ea6441040e71b60077021e0f

    SHA1

    16221b086215c9bbbfddaeafa4cfb0c5a520cdc5

    SHA256

    dc47c9ab64dab7f3cf2c46bb63cc36c3e508a770d303d07a40cacb06dc9183a4

    SHA512

    89f3d69525a57e4f6571fe9e5064b1426a7f40087b14bc36213b93c9aea02de40d4ce2323c82ca929bf8aebc0249e5072eae36411ee4a95eab4a51fd1214651e

  • memory/1712-92-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/1712-82-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2060-91-0x0000000000400000-0x000000000055B000-memory.dmp

    Filesize

    1.4MB

  • memory/2468-6-0x0000000010000000-0x0000000010088000-memory.dmp

    Filesize

    544KB

  • memory/2468-86-0x0000000010000000-0x0000000010088000-memory.dmp

    Filesize

    544KB

  • memory/2468-5-0x0000000000330000-0x0000000000379000-memory.dmp

    Filesize

    292KB

  • memory/2468-0-0x0000000000560000-0x0000000000657000-memory.dmp

    Filesize

    988KB

  • memory/2468-9-0x0000000010000000-0x0000000010088000-memory.dmp

    Filesize

    544KB

  • memory/2468-8-0x000000001005B000-0x0000000010086000-memory.dmp

    Filesize

    172KB

  • memory/2468-87-0x0000000000400000-0x000000000055B000-memory.dmp

    Filesize

    1.4MB

  • memory/2468-1-0x0000000000400000-0x000000000055B000-memory.dmp

    Filesize

    1.4MB

  • memory/2468-84-0x0000000000560000-0x0000000000657000-memory.dmp

    Filesize

    988KB

  • memory/2468-85-0x000000001005B000-0x0000000010086000-memory.dmp

    Filesize

    172KB

  • memory/2684-88-0x0000000000400000-0x000000000055B000-memory.dmp

    Filesize

    1.4MB

  • memory/2684-89-0x0000000010000000-0x0000000010040000-memory.dmp

    Filesize

    256KB

  • memory/2684-41-0x0000000010000000-0x0000000010040000-memory.dmp

    Filesize

    256KB

  • memory/2684-95-0x0000000010000000-0x0000000010040000-memory.dmp

    Filesize

    256KB

  • memory/2684-110-0x0000000010000000-0x0000000010040000-memory.dmp

    Filesize

    256KB

  • memory/3028-33-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/3028-77-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/3028-32-0x00000000002C0000-0x00000000002EC000-memory.dmp

    Filesize

    176KB