Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    20/08/2024, 14:35

General

  • Target

    af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe

  • Size

    500KB

  • MD5

    af9b49382fd1ea3aa712c56aad185e93

  • SHA1

    c3d600c76d232799d429b4626edc5f886f2bd2d3

  • SHA256

    d8c412ae42dea69fdce6a80c697bc15b6c1e246565f4af1964e0f9e3a1004074

  • SHA512

    63d14399aa66cc53a308be9d244706c2df7aec09d1d5427981ddb8b078f48fea20d77b147c4862fb3c88b386cc93635abe3f807d0ec9f7d573288b3ff2a908e7

  • SSDEEP

    12288:wgYawyT9ee45i16+8GrkroHg3YS/XgMvizOvLdoTRY:rYN3e4g1v8tEHLS/XbiKLuV

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Users\Admin\AppData\Local\Temp\af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\ptsFD91.tmp

    Filesize

    84KB

    MD5

    78bd7f85d17bf25377d895cda042e663

    SHA1

    7a2997106287c763bc898e4fd7d516145dc2539b

    SHA256

    1c888945ca459fd4d8c0ee2f8df2bfd9c4dadac72c3bcf3238d862e8f67acd25

    SHA512

    a06206356f7b378c1958d441944691ef4036c9a68963abb51b62e03c4582d8932051daf82468b29b31493b5479808351bf6286eb36cc4bf299ebabe6bcc67ea3

  • memory/2144-12-0x0000000000020000-0x0000000000022000-memory.dmp

    Filesize

    8KB

  • memory/2144-3-0x0000000000400000-0x0000000000526000-memory.dmp

    Filesize

    1.1MB

  • memory/2144-5-0x0000000000400000-0x0000000000526000-memory.dmp

    Filesize

    1.1MB

  • memory/2144-14-0x0000000000400000-0x0000000000526000-memory.dmp

    Filesize

    1.1MB

  • memory/2144-13-0x0000000000400000-0x0000000000526000-memory.dmp

    Filesize

    1.1MB

  • memory/2144-11-0x0000000000400000-0x0000000000526000-memory.dmp

    Filesize

    1.1MB

  • memory/2144-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2144-19-0x0000000000020000-0x0000000000022000-memory.dmp

    Filesize

    8KB

  • memory/2144-20-0x0000000000400000-0x0000000000526000-memory.dmp

    Filesize

    1.1MB

  • memory/2268-0-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2268-10-0x0000000001C90000-0x0000000001D1C000-memory.dmp

    Filesize

    560KB

  • memory/2268-8-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2268-18-0x0000000001C90000-0x0000000001D1C000-memory.dmp

    Filesize

    560KB