Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    23/08/2024, 13:40

General

  • Target

    bbf623d9290d3978cded5be9afe6de3a_JaffaCakes118.exe

  • Size

    108KB

  • MD5

    bbf623d9290d3978cded5be9afe6de3a

  • SHA1

    d59cadcc8ef8cb8f9d67e402c698872f0425153f

  • SHA256

    e26efcefcacd60b0a30deec4c349bd0f7db3f9264eb92b35235e618c2111a994

  • SHA512

    2808bb3b5323a93443f522bbec385228e9a34a1b4430b75560a80b33a9054e111903e44f8816545e649b63e8d9ff9ebbc41862b4905268708aa0b42f6a8ba832

  • SSDEEP

    3072:S01G98h0qXYvDNL4KQkL2OsINxhc5bZHhsVMh:ZPJYrNL1Qk7Nc5bnh

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbf623d9290d3978cded5be9afe6de3a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bbf623d9290d3978cded5be9afe6de3a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\system\715088.exe
      "C:\Windows\system\715088.exe" /start
      2⤵
      • Executes dropped EXE
      PID:2228
  • C:\Windows\system\715088.exe
    C:\Windows\system\715088.exe
    1⤵
    • Modifies firewall policy service
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\web\ddid

    Filesize

    6B

    MD5

    e75b08f0d677b3ef0529a0155226cd08

    SHA1

    5de7c9b224bcc67ef76cf0b36acc75e1b36ee7c6

    SHA256

    963a10d3ff62c00bfbaeea29186160fd40f5935dee2a5efa7aa46129530d1548

    SHA512

    fa202c912002aa48e1892cdfb9b62f767501bfc642bf08b1e14c3eab755c4b1689310068cc073fd066633510f7a3e04e2f75935e21b725c71e8791bdcd91ce2f

  • C:\Windows\web\ddnm

    Filesize

    10B

    MD5

    441d58b3ebe63c10c22729ead5caf7aa

    SHA1

    8fbf8c42d7df9ab740645d245e1b23b1f0c48b87

    SHA256

    cdd067497eeb857400af41f2e448d161752458903512c9050da8232bb9b53013

    SHA512

    414e2f1c6ec6e6ca70beb4c07c7501cf5cbdd7b64f598fea785450605b88b7c578fe1efa262bbb5c6e2ab783ec2d37105939ee8e3b691181725834fe34eb44f4

  • C:\Windows\web\ddsn

    Filesize

    5B

    MD5

    0a8ddaad1c78d73b557663e728653f32

    SHA1

    cdd1be8014c739ee9eda16d16a0fd81a0b7ab6de

    SHA256

    9a1827d1c058dbd0d02109c5f11d6fd78ca942ae6ce1c2c5b16bf3acc8f91369

    SHA512

    f1aaa24b0d6ee52e2eaa6322dca32636a5ad377e819962d96da9b9d8d961f2f038048de11e288ca58191efa104e62cfb11949c9fe54bb9002c19de2d5d79a690

  • C:\Windows\web\result.dark

    Filesize

    32B

    MD5

    bb20a835bd1210468af8014aa6a022cd

    SHA1

    f3a93f807ff651d1b2ca1efb65a258de036a9fb4

    SHA256

    5f0f9de4feeb753b9c4bef8cb56070a3b681d8129f19e3874e39e99a105dd152

    SHA512

    1aa2e4b9185a68e3d1260c2189e49b9a16cf20fbc53260d974d2857728ff9b1d2a755a74df86d57e40850e157e6e13020898daa719c19b50e376fc5ec5cf7d98

  • \Windows\system\715088.exe

    Filesize

    108KB

    MD5

    bbf623d9290d3978cded5be9afe6de3a

    SHA1

    d59cadcc8ef8cb8f9d67e402c698872f0425153f

    SHA256

    e26efcefcacd60b0a30deec4c349bd0f7db3f9264eb92b35235e618c2111a994

    SHA512

    2808bb3b5323a93443f522bbec385228e9a34a1b4430b75560a80b33a9054e111903e44f8816545e649b63e8d9ff9ebbc41862b4905268708aa0b42f6a8ba832

  • memory/2228-29-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/2228-18-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/2228-23-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/2228-24-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/2300-16-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/2300-6-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/2300-0-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/2300-5-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/2300-30-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/2948-26-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/2948-27-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/2948-33-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/2948-34-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB