Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 07:54

General

  • Target

    b2aa23d6b4adb8f8623cc51498ba5c5d_JaffaCakes118.dll

  • Size

    184KB

  • MD5

    b2aa23d6b4adb8f8623cc51498ba5c5d

  • SHA1

    93c9b95d401213f3d9197a3d8c6398da335b6c96

  • SHA256

    a3a875372a18e1e91397e6c3e7f5e0ab3dba911c5908188eb9f4de48b40f0416

  • SHA512

    630639faa98888d5cd268340a4219e199df2b7d95b9ce37f961ecfa62e6d080900f9680fec2bcb74f4652a686b173537e00b5089f144519c468e185274d911d9

  • SSDEEP

    3072:QILqzszmqBPWnF3wTn/4zxHHA1qi9R2BtzwD6TCaBPQGHHfWB4ulpj4SqJOrcYHG:QLhqB4FgT/4zRg2rzqCFBPR/WBDj4OrF

Score
8/10

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer Protected Mode 1 TTPs 15 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 42 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b2aa23d6b4adb8f8623cc51498ba5c5d_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\b2aa23d6b4adb8f8623cc51498ba5c5d_JaffaCakes118.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer Protected Mode
      • Modifies Internet Explorer Protected Mode Banner
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2696
      • C:\Windows\SysWOW64\notepad.exe
        notepad.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        PID:1736
      • C:\Windows\SysWOW64\notepad.exe
        notepad.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        PID:2264
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Windows\system32\ctfmon.exe
      ctfmon.exe
      2⤵
      • Suspicious use of FindShellTrayWindow
      PID:2824
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2572 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8d81fa084ac3aaee6fb56986721cc959

    SHA1

    5395a861d3347da22e952bd4f07b55d36b4c1843

    SHA256

    77c5e931f77723a3f527217bf8f0943bffca2b7b0b8024354322684154899711

    SHA512

    a723e561d69a4c7835a668d60020074f72e4be45fc77c32bc1c19fad5d02e9b82f55c64da27bc1b541f525aac49cdf3c245599b6e8523dfd2f794016b74f91c1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    54b00eec77b5e990b1eb8fbceb018d7f

    SHA1

    58ad22cb4dde9206698559eab016a09777aadd4c

    SHA256

    61e0f76cc46302064224a7bc615c812e31d6a2368ba19c369d879d0b5bb4fc37

    SHA512

    4b6e69744fa4969e8bac17b8300273c8232121909318892d896eda7d631e9615b0fbc6aacc846180f2fa0d8ec3e8eaaca45253d1ed9500306b368f8c3b74d147

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    44d1f401254a68d2901d3573cf19dc93

    SHA1

    f001da1bc8c2e4713047b91655479020c6deec64

    SHA256

    572c531151189ed1e68cb0a97ec46da157f49ba998e0c2fe2bd70521b2a932db

    SHA512

    c0b29617cb6c8dc2c9d9b39461aa952d1b200db7b90e7af3d7d934d2e25d15c0733e3892e0082a447fb255dee941a56ccd3b3185c3134807edc56ca1972a218d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f411e970df6794593657f3b055a66969

    SHA1

    6995aa4f3ad6d504d16288dee58f941b4c5a211e

    SHA256

    00745bb2a9fa0a91ab2a2d1b39606fbd985b2262413a1daa44ed7aefb36a6634

    SHA512

    fd9d52fb643620717f6961ed495712116c27875cb3e30e93320e0a8a8e4f76a9fcf06a52f2f4c94b3e32d9888ef4d8ee9e60e8cfb7a46b81fc60ed6a33045e0f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1fd9d58a6d98d292484ef8a4f212201b

    SHA1

    6dff932f305f95097513d305c6f15dbe5f5797d2

    SHA256

    3d85ec429a336f972a2ff791a4cd2d3ae19fb1696dcf49ddf4fb065994464f62

    SHA512

    8cca0c27adb192b715939213fa50e365d8e6a5aa91f6e24959fd0b3a90fb4d12141791f5e40f57db8ac58683d1795fbb51cc67b3a1e2154799b3bc047b3b8622

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b77be5c1409454de9b5b8ee4327b301c

    SHA1

    cfedffbfbe6c130eb3b38baad2254313b4be00b6

    SHA256

    c572209d685bda9dd0c81593499b0e85d63c67cac058b8b29b5015342b2595c9

    SHA512

    9e849c29c18eb14ccd4f0279bb258e4bad4ffd85455c9755a039e2f4195bd732f6393af81ba6bedd3c8805581557f7c084d271417f69cfbf45e4daab850113f3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9eadab3faf86a1a5213cd11e705a1a65

    SHA1

    6b38f0f3c5513fe35b3bedc1ca238e435a5207f6

    SHA256

    9a421c91e33e2c15330a700e26f0f7834c1ac4361793a796ce799bb3bc26501d

    SHA512

    343a0fe38e8f727465e6db831ea269f86f580f868e12ed0e9ac4aa0cc19ea76b863a4d8756aa745cd8599b45adf0e8850bfd656088ee029478e0c3d9207bf21c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bd288beb7191eefa07d37a2115dbe606

    SHA1

    cb11395726f9d57513b8f8c66bb1f1f72d37486e

    SHA256

    e99ee0b73dac6f70abf2311e5ecfa7e245369ecd7db6938e860491fb47f6c6e3

    SHA512

    b6fc84d10684bdd8ecc263272ef91af0ff17ec34760934519dcbd949a2e920b9863277c4e308643da5e5e2bf59071c6d2942372cba72171433a447432b44ccc7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    086f601bdec7a25fa6e6e361882ec074

    SHA1

    a584aaad36bae228ca57d6b4e53b3e196c8a02f1

    SHA256

    d5000709952a02cb39887cb4611671c4cea427c2843c6525aac4788abd31c7c8

    SHA512

    3634ca942883752d60aeaf1bb9dc161574140b11e92828643f1290a72d797d5394ac9c42fd3a4415106b1614a36e5830c6db3395befb55120854f466828ceeda

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7d340decd26664916bd21ec30515171c

    SHA1

    b360f369c5419b874d5c203e7181dadc91e8711b

    SHA256

    2d3024739b54bf3a9421602eddd95238abd8362e04c2829a6ee8782173059053

    SHA512

    c80c8b1c088c530dd0ad511e7e8e5da16cc29a4f466dd819679af35f5dc2d8c6f9b0fa73fb673947cbb67b022c4c3e1b7593c0cb202d09ab106183570296be68

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e9478bc3c6352dfe5db5a75eda6855a6

    SHA1

    808a3ba4888f196a5e1d75358412a67f8c77d8b3

    SHA256

    97f46f69ae8dbd73563f94255cc6ba1926e8af661df1ca3c0a85b61bec82f86b

    SHA512

    e33ef9a89da2b45b4c393006b4ea62def844593ef8bfa34fec20a5d694768cb3ac495dee0b07979e7f9b8d85b890cfc44fc0dd6f76849b02739ce29b1b717050

  • C:\Users\Admin\AppData\Local\Temp\Cab899D.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar8DE4.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • memory/1736-8-0x0000000000900000-0x0000000000949000-memory.dmp

    Filesize

    292KB

  • memory/1736-10-0x0000000000400000-0x0000000000402000-memory.dmp

    Filesize

    8KB

  • memory/1736-15-0x0000000000900000-0x0000000000949000-memory.dmp

    Filesize

    292KB

  • memory/1736-7-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

  • memory/1736-9-0x0000000000900000-0x0000000000949000-memory.dmp

    Filesize

    292KB

  • memory/2264-13-0x00000000001D0000-0x0000000000219000-memory.dmp

    Filesize

    292KB

  • memory/2264-12-0x00000000001D0000-0x0000000000219000-memory.dmp

    Filesize

    292KB

  • memory/2264-17-0x00000000001D0000-0x0000000000219000-memory.dmp

    Filesize

    292KB

  • memory/2356-6-0x0000000003B10000-0x0000000003B20000-memory.dmp

    Filesize

    64KB

  • memory/2676-0-0x0000000000220000-0x0000000000269000-memory.dmp

    Filesize

    292KB

  • memory/2676-14-0x0000000000220000-0x0000000000269000-memory.dmp

    Filesize

    292KB

  • memory/2676-4-0x0000000000220000-0x0000000000269000-memory.dmp

    Filesize

    292KB

  • memory/2676-3-0x00000000001C0000-0x00000000001D5000-memory.dmp

    Filesize

    84KB

  • memory/2676-1-0x0000000000220000-0x0000000000269000-memory.dmp

    Filesize

    292KB

  • memory/2676-2-0x0000000000220000-0x0000000000269000-memory.dmp

    Filesize

    292KB