Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 05:10

General

  • Target

    c00377b6b0d9c85b5ef6aa4f161148bb_JaffaCakes118.exe

  • Size

    1.8MB

  • MD5

    c00377b6b0d9c85b5ef6aa4f161148bb

  • SHA1

    becc018a9c15cca8145be7528fd07bd52d49260a

  • SHA256

    f93f1c2aaf4779058b2bf46ab18e7b829b7980f51f896eaf4a67dc7c206ad5f6

  • SHA512

    4c487f9eb59d5b7a0db6f676b757b8d4ce16b144b061a748d54f54f5421712d4589fb8c7ce34922736cdb91fd7b6e2dbe3645c8dfa43976be6de53dba2a73878

  • SSDEEP

    49152:+CIt+FvkUSkVs13YROIL/+fGQ6F3XSDYxyFWymzkz:pq+FzSkVfHaGQ6tXSbwrkz

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 46 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c00377b6b0d9c85b5ef6aa4f161148bb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c00377b6b0d9c85b5ef6aa4f161148bb_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:576
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Windows\SysWOW64\bpk.exe
        C:\Windows\system32\bpk.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Installs/modifies Browser Helper Object
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpk.exe

    Filesize

    424KB

    MD5

    5ac7c0441c8c0d87b3f8d77be175d0db

    SHA1

    e8b93a012a04cb7e81dbb664ce17485449994014

    SHA256

    456a43ed759f12a354dcad49a8d3d906c438c648ba3d00c719e65709c7764f09

    SHA512

    f94b1434268cba4c99d80d41eccbece84bc28eb8c2973680c8babd6bb7097f96e5bd5190a5d1ea73c613ca3010725f7bcee1dd5b0511827eb196ca8dc9a5cdf9

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkhk.dll

    Filesize

    24KB

    MD5

    23fab0e0b3051cf99ba91c6166dd0e9b

    SHA1

    6499395e8c962f28d5e4b153b3860491ff9fea78

    SHA256

    1d3f50ce0b1d4a0ac6ccd72df7fc1686ba4adaf6a01d06134dfe46dee0aa513e

    SHA512

    693c21c798bf5cd62b52b19c6f6ab57cc2c1a4374bf0d06d9e8a1db3bb750803185269ec8b369b4e39835b332edae84ce2680406e91778d65678c0c29d4767ff

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkwb.dll

    Filesize

    40KB

    MD5

    1687a4fc6c2cd78d6c53b8b404d55094

    SHA1

    16a4e9b9d2b7dc8d682727d45e290e73617d68f4

    SHA256

    a31be0c1aaf84620dd3525aefd5a72cf4602360249d2b9b3022d275a3bc52d47

    SHA512

    6c4abc31bf9f9025d321394978caf6d1b2b48af0e9a7756664a221619e2e29b965554de0df69026eb06a76ac27edbc20723993c3f867ed6b7932fe3bf99fa885

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

    Filesize

    996B

    MD5

    ff6aec2f376fbd07e9fc332b58274bca

    SHA1

    5bf6258fc084a2065d5d287b50a72abf8a510dd2

    SHA256

    03cf09c23322291d9caab84022ecf21f55230b8c0690b3e6070058bebe9f230b

    SHA512

    1797e7f2ac9a7d0c36a17f4644b8a6c345a9f0963ad4c09830720038fa4a1d21c0f00c1abd4ed3160a20576ffb72bdcb8ab3a24dfbd272f6efb564114683a380

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mc.dat

    Filesize

    30B

    MD5

    726259f004ad6c0d0490661cb3b5590a

    SHA1

    90622e1d93570bc7c9725435729d351587bf552d

    SHA256

    698906992c310cfb176f09e61610b2bfbc39fcba0e9875fa454788c7ec764c97

    SHA512

    e864a584cb64ecca84eb2ac0e2cbc30ccfaf543866975b05b79d0a435fcc1794707c10621dcb80fa905e5364be63067b36a5052076eaba3be428f4439b91f014

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

    Filesize

    4KB

    MD5

    d53c7d15098117bf35eb0bbb598cdce2

    SHA1

    1521bf1dea4dc6e7b46b1d344d556225f3fe0c6b

    SHA256

    ea78b57a2224352b6adea36c3522f55d4d1fe392b89b0dd39f0b1800aa8233af

    SHA512

    9f7af5affa14249460146466832c118a63819b3e7dedad254d022f702ba019ef5cc1ce05a30667f9cb070eafa51ee19145e134ce0b274f372dfc16650fb90ef8

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

    Filesize

    7KB

    MD5

    fbe4bab53f74d3049ef4b306d4cd8742

    SHA1

    6504b63908997a71a65997fa31eda4ae4de013e7

    SHA256

    446658dd5af649857fff445c600f26cdc1d0c19c86a080f312b89b1890182092

    SHA512

    d458ab806a3ed3d1494a13ad8a75df874a0b227cb4f337996cb82df3c4a26dc9c4fe48a664b53b052a4af123ea8d89911d9d9493870e6b5992d5621a32260c2f

  • C:\Windows\SysWOW64\bpkhk.dll

    Filesize

    24KB

    MD5

    9ac9028338d1b353a7cacb563bb91df7

    SHA1

    a20c5dee8f05c91686324cec2d5b092bafe58339

    SHA256

    93c0e7f41d5d74217189e4cc2d5cdb8f97d8e5eeef0a0dcf4cecd67e3393682c

    SHA512

    ac83c8f7b6fe913487015d8d7a2e430e917d230b6b2907150f6c4a73bf64c3a02320dddc29fea03db5df8ac5620d8a902fe7be80ba1b1bd1e6f5b8b1b016ddfe

  • C:\Windows\SysWOW64\bpkwb.dll

    Filesize

    40KB

    MD5

    21d4e01f38b5efd64ad6816fa0b44677

    SHA1

    5242d2c5b450c773b9fa3ad014a8aba9b7bb206a

    SHA256

    3285df0c25d4b9b6d5ccbe166a3ce3d04f5cb3a0d61c8bf29bf5f953e51b0977

    SHA512

    77dae941676a56664da89c7670d29ed5402032c8040df1cc231986733c78f0dc56c41f7a276ec9ea8336e3fa2bfc68d3121048e9585bf0d8a98917d799f669b8

  • C:\Windows\SysWOW64\mc.dat

    Filesize

    30B

    MD5

    4428a3048e142e7a72cdcf7ab3b6132e

    SHA1

    749cd5926b84a88f418cdb01fe51a38b92cd3ff9

    SHA256

    b6c25055ee4c3902d93fc477520905282446ad0482fbbcd704de120141ce84d2

    SHA512

    2ff6e482ccb8ca9bfd62ffca9d0b0acfa6e22e6f2f8fc2e2748ea127cc5c3e79c448d207176a249765bcc1b17be9702242a8603cef8829fccb486422f7bfa234

  • C:\Windows\SysWOW64\pk.bin

    Filesize

    4KB

    MD5

    ef7d5819d56fb51515614caf7684295a

    SHA1

    f510cee06e60e7feff19e6d7bf0cb843c319a9db

    SHA256

    cbee09a630dd1ad22c2e42ce9220310665769509c77db9d2b9b1a6299aae29c1

    SHA512

    5f19881bc95e8c6dc7e7c9a8ee79e6e31b93c6559f9f43f6a16c161f6851e3311671e10bc792292a89dff3f9183167adb07d2d825a1c89961eace403cbda510d

  • \Windows\SysWOW64\bpk.exe

    Filesize

    424KB

    MD5

    994ffae187f4e567c6efee378af66ad0

    SHA1

    0cc35d07e909b7f6595b9c698fe1a8b9b39c7def

    SHA256

    f0b707b1ab25024ba5a65f68cd4380a66ef0ce9bb880a92e1feee818854fe423

    SHA512

    bd5320327a24fbab8934395d272869bfa97d77a2ee44ac6eec8fa79b3ffbd4a049bf9dfeeb6b8cc946c295a07bd07ddba41d81c76d452d2c5587b4bf92559e0a

  • memory/576-62-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB