Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    22/08/2024, 00:44

General

  • Target

    b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe

  • Size

    1.6MB

  • MD5

    b5b1d763703c33438c101d5e1bf6d09c

  • SHA1

    199e28b5e26a679abd193ffc215f9fbd5c8062aa

  • SHA256

    0a4ff2e067fe1644dfca1f3542bc44c86e05c67ec454b7a4775a8a15afa8e367

  • SHA512

    44a3290d6c935276da2c7285980a2027df76a7c9b78fe3afb049a6abdb39729f6bf259646698b46bf56485742fcbcbd0556b06c3085d092a272573282093c1ec

  • SSDEEP

    24576:UjxJRkKup3nSivnVM2EgFurReZLX23nHxNawI7JRgRRczuf1van6gG/9Kwfmwk:0ivV5iWLXwnzEyqzkExw

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Local\Temp\win32.exe
      C:\Users\Admin\AppData\Local\Temp\win32.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 96
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:3012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\win32.exe

    Filesize

    4KB

    MD5

    5e5ecae8b08152c885904cde71c50dad

    SHA1

    727f24d102ab29be690c783ddc149b3a39430fb6

    SHA256

    b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

    SHA512

    dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

  • memory/2076-0-0x00000000740E1000-0x00000000740E2000-memory.dmp

    Filesize

    4KB

  • memory/2076-1-0x00000000740E0000-0x000000007468B000-memory.dmp

    Filesize

    5.7MB

  • memory/2076-2-0x00000000740E0000-0x000000007468B000-memory.dmp

    Filesize

    5.7MB

  • memory/2076-27-0x00000000740E0000-0x000000007468B000-memory.dmp

    Filesize

    5.7MB

  • memory/2156-25-0x0000000000400000-0x0000000000536000-memory.dmp

    Filesize

    1.2MB

  • memory/2156-22-0x0000000000400000-0x0000000000536000-memory.dmp

    Filesize

    1.2MB

  • memory/2156-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2156-18-0x0000000000400000-0x0000000000536000-memory.dmp

    Filesize

    1.2MB

  • memory/2156-16-0x0000000000400000-0x0000000000536000-memory.dmp

    Filesize

    1.2MB

  • memory/2156-14-0x0000000000400000-0x0000000000536000-memory.dmp

    Filesize

    1.2MB

  • memory/2156-10-0x0000000000400000-0x0000000000536000-memory.dmp

    Filesize

    1.2MB

  • memory/2156-12-0x0000000000400000-0x0000000000536000-memory.dmp

    Filesize

    1.2MB

  • memory/2156-11-0x0000000000400000-0x0000000000536000-memory.dmp

    Filesize

    1.2MB