Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24/08/2024, 14:32

General

  • Target

    becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    becbe4f5100b858411dcb51e5719529d

  • SHA1

    553c284d440a34fda1cc3772c98639267002c7a4

  • SHA256

    7fdaabb625a6180627b307a4f8d533c2eeceef480157c7067849cf20b09fddea

  • SHA512

    93c6d25789b7c9d26e5a191569d88cefe5c02f868a6088c2d1ec6d8ddd0643372ab25affaecfa6dc5406addf228d858d92fccbf5f487d2e03d312284423fe679

  • SSDEEP

    49152:LV9yIArXjY4LjAs/p98gieBhDiY6Vt9TRAia2H1:n2jDLn/p8CwXVSia2V

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    PID:2136
  • C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe" s -sid 1
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe a
      2⤵
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2076

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AeroAdminLog.txt

    Filesize

    68B

    MD5

    aaa954b723eb50223afa71436daf15ed

    SHA1

    838b1ab1aaf2ddf736bd639f75d683fbe99c7f30

    SHA256

    bc49dda35b98b68f76de02d357ad0486fffd5609f7c2c8b1af318df2da688e5e

    SHA512

    825de193ddec9c1c483bd4789a22a3fdf192d16161b3a3b5ee2c30b08b4468a50395ab126ee05fd664bdcf9ea0c3f152015687e56b274079865c2c1af94e12b6

  • C:\AeroAdminLog.txt

    Filesize

    114B

    MD5

    5e69a737174f60d0e30e154675974ac8

    SHA1

    2a67a203e2e7e9a25288c23d46fdd686b7f8d551

    SHA256

    af31d9f01458c40e1a75be01529abcf236cc7fd1783af98afc32125a131c66eb

    SHA512

    fe97e9724e8ed9aba112ec5ca7b444e0fb8ca5f329a63b4e57964099c367db8d1c6b192685441118e9da210cd9fde37412ceaafe1a8f776948cbc479c7b9b814

  • C:\ProgramData\Aeroadmin\config

    Filesize

    657B

    MD5

    dc1de55ff9a76ee24f6cdbe2d28d8a37

    SHA1

    d044cc6a20e71c39d779a8890b2da1a26a769ed1

    SHA256

    76bf7e29e288d4313c2be083b548b9f6c516dd008c37c46f1a6ce0f4632afc48

    SHA512

    9eaf117fca45fdbb01345637cf10115fa6516fb04ab3bd2680ebff0e8b8268a2ac8529bba0ca80ca67f280fe4182e602a5693f84a349957bff217ff9edad9808