Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    29/08/2024, 00:24

General

  • Target

    c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe

  • Size

    872KB

  • MD5

    c7eaa037368662cd6a645a6e0c0f7fec

  • SHA1

    3b47345ec9806a48786a9d8771b4b0a1a597107b

  • SHA256

    300193a94005925547c3d7b0b4e0460db6ec119082e2d4fc05558894f4ec837d

  • SHA512

    a434bdebb4b7b50170e906c547bb887a112b4794ed5e686445d3ef9e3e326a67109b3ea062ac38340082113b2914b7e4c20dee93bda026fec51625f52dd1fc36

  • SSDEEP

    24576:u8ETUGNW7WJmt6VuHUD2nIVijiFM/k/6l+xs1URuNQ5CLuByHehATUrohab6RK9H:cTUGNW7WJmt6VuHUD2nIVijiFM/k/6le

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Use of msiexec (install) with remote resource 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Users\Admin\AppData\Local\Temp\Ins4EDB.tmpinstall.exe
      "C:\Users\Admin\AppData\Local\Temp\Ins4EDB.tmpinstall.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Windows\SysWOW64\MSIEXEC.EXE
        MSIEXEC.EXE /i "http://dlf.pafke.eu/client/pkgs/springbok2/Springbok Casino20191018030325.msi" DDC_DID=3372131 DDC_RTGURL=http://www.cdnfile.eu/dl/TrackSetup/TrackSetup.aspx?DID=3372131%26CASINONAME=springbok2 DDC_UPDATESTATUSURL=http://190.4.88.169:8080/springbok/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.88.169:8080/springbok/Lobby.WebSite/SignUpUnsecure.aspx CUSTOMNAME02=referrer CUSTOMVALUE02=Direct%20Traffic SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="Ins4EDB.tmpinstall.exe"
        3⤵
        • Use of msiexec (install) with remote resource
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_is5085.tmp

    Filesize

    1KB

    MD5

    ab12ed683e2123972b2367f7bcc9e1d1

    SHA1

    39f5295e814b04e0c73e48c1a3cdb7ada955b69a

    SHA256

    58358cba02428bddb6a0b7517a96abe2ba30a8edf59b8289beb3f3defcc63bb8

    SHA512

    86ea2240b06df985c5428a8c8227c264867edec8a4be5eb818b23ed35ad07b8143edd302c285fce77eeaa884348ca0c98336822fc4c6fdfd3464955e8dde097f

  • C:\Users\Admin\AppData\Local\Temp\{3496F02A-A8F5-4A3B-AA2E-A29DB2B525BC}\0x0409.ini

    Filesize

    21KB

    MD5

    be345d0260ae12c5f2f337b17e07c217

    SHA1

    0976ba0982fe34f1c35a0974f6178e15c238ed7b

    SHA256

    e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

    SHA512

    77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

  • C:\Users\Admin\AppData\Local\Temp\{3496F02A-A8F5-4A3B-AA2E-A29DB2B525BC}\_ISMSIDEL.INI

    Filesize

    20B

    MD5

    db9af7503f195df96593ac42d5519075

    SHA1

    1b487531bad10f77750b8a50aca48593379e5f56

    SHA256

    0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

    SHA512

    6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

  • C:\Users\Admin\AppData\Local\Temp\~5082.tmp

    Filesize

    5KB

    MD5

    b880af62de4fbdcf49f0071092133ecc

    SHA1

    f229a3388ff2a34b0723bf1532b430ad9cda2a61

    SHA256

    37f07ffba5ec4cf3b0c9cc18add087493d281f2f86f801fed6f5d39ab889b65c

    SHA512

    460685297136af65bed406ef199f30eed457062bf985b3c9b85d214f755f94beb5240bd592616589c31dea7d901b4299c8f40a6896cbe9d425d3890d1e98e267

  • \Users\Admin\AppData\Local\Temp\Ins4EDB.tmpinstall.exe

    Filesize

    1.2MB

    MD5

    d18274436790f5b080b06213bd518772

    SHA1

    71d63e4fc0d685168888f98937fb8377f65946cb

    SHA256

    d4699b6d2aa6dfd33319afdb1fdc2f72776ab432acacf8f6d35f59e22c416e54

    SHA512

    99e1624aec19b41b62214f675d7b317510de364bc7d643ce55fbde7e7f54524ee17434823a1e66584f34bf5884a7eb21e5c72854ed9304884687594ecda15f9c