Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 10:33

General

  • Target

    c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe

  • Size

    5.4MB

  • MD5

    c08c4e432b1e91dd7d2eabd375d52249

  • SHA1

    8b3590da0ec16f4c21de4e36c847ade1aa9461f3

  • SHA256

    1969f0a523637fbeba837e4c831172815325f7eb1b7998b4bc20a63ce625166d

  • SHA512

    b3eab01de414ce3e522f4bc255cf7b29aa1a992353fbae97c331419c4968d0b1fe414d9b4fecf482d91c687cdcb99ad63bb086b0770f3b5e69aedbc82e638da9

  • SSDEEP

    24576:LXkpCNzgduJNQmn2ugeZAQbFT4B96NlpRruKc4wqXjFM5Uc1p8k2:LXJqcQRUAQkmuzjTI

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Users\Admin\Documents\netview.exe
      C:\Users\Admin\Documents\\netview.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Users\Admin\Documents\360Safe.exe
        C:\Users\Admin\Documents\360Safe.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\360Safe.exe

    Filesize

    5.3MB

    MD5

    4d02e7c44a780042444eb61e2b4ebd17

    SHA1

    3bcdac35f082f1f37a78db85a73c4b51fc7ae450

    SHA256

    c9f9483bc864e318767c932393dd7bc42c342d3c76694bd0424f6ff7f0e2904f

    SHA512

    0a0bec282654d30a5742d60f2de823a1109163cb90ba8c9cf36b7c60bfdea6a0a6d4668372ed7e7e07d8731ae10c32c20d53dc3a81c8101b7a300cdcf9d51dd3

  • C:\Users\Admin\Documents\360netview.dll

    Filesize

    4.8MB

    MD5

    e3ce6845d6b42f44e0e0d11853deb67e

    SHA1

    7d500b8086ba6acef116d079be28c7dc41551628

    SHA256

    302f6a2917be8582898b8644e86315cb8e97211b846e589bfa00f3ac11e182dc

    SHA512

    86cb01c74181f3a37d9231031dda7ed0a7701b43a11e0e107b7aecafe2e1fee26655de089af9b8b554ff82a812063cc94ebd32acb3b1a1fa894c2041d01e0369

  • C:\Users\Admin\Documents\netview.exe

    Filesize

    361KB

    MD5

    acf082455a5294a6138f7ed97fdddcc9

    SHA1

    5a8af8350238af48f54a868d9d397b902218c982

    SHA256

    1a13f9ce9ed3717fef71392ecc5e4f1de9100985f77dea247548651e543f236e

    SHA512

    0059ba46eb11981a5cda5b71cfdf7d6bc3e22df1d0aba8d32bc11c118c61302fe3951df6ec700d353a507202b013da368eb88abdf066b2bd39f2be6af98d4106

  • memory/2508-9-0x0000000010000000-0x000000001000A000-memory.dmp

    Filesize

    40KB

  • memory/2508-15-0x0000000003310000-0x000000000346F000-memory.dmp

    Filesize

    1.4MB

  • memory/2508-14-0x0000000010000000-0x000000001000A000-memory.dmp

    Filesize

    40KB

  • memory/2508-19-0x0000000003310000-0x000000000346F000-memory.dmp

    Filesize

    1.4MB

  • memory/2936-17-0x0000000000400000-0x000000000055E400-memory.dmp

    Filesize

    1.4MB

  • memory/2936-18-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2936-20-0x0000000000400000-0x000000000055E400-memory.dmp

    Filesize

    1.4MB

  • memory/2936-22-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB