Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    14s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    29/08/2024, 05:21

General

  • Target

    c848d232b608b58efebcf58d043e747b_JaffaCakes118.exe

  • Size

    24KB

  • MD5

    c848d232b608b58efebcf58d043e747b

  • SHA1

    26e36b4ff354eaac8b2f52aaf9521fb85bfd36b9

  • SHA256

    862b0eb5a300bbbafb177d3ec6290420652ce40e436d69eace1fdb24d3eee8c9

  • SHA512

    4b709c05a03236b584e342754517dddd9a00134d2dbcd94ba1d95a81dc3be3cf9ae68b3a724110b9da0d696363bfae39e531a240fb5ab5826b712e62d4ae04f4

  • SSDEEP

    384:E3eVES+/xwGkRKJ031lM61qmTTMVF9/q530:bGS+ZfbJ0FO8qYoAk

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c848d232b608b58efebcf58d043e747b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c848d232b608b58efebcf58d043e747b_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c set
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2196
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /all
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:2556
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2220
      • C:\Windows\SysWOW64\net.exe
        net start
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 start
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2860
      • C:\Windows\SysWOW64\NETSTAT.EXE
        netstat -an
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        • Suspicious use of AdjustPrivilegeToken
        PID:2880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\windows\temp\flash.log

    Filesize

    8KB

    MD5

    0fe9d1c3e0b6df3905577fbbc968e74e

    SHA1

    f851af7c3ae4bdb36597f7b0c5d80732baf9e97d

    SHA256

    414e61e015c687bd2bea2aa71be573f624a1768693328e3703f03fd8f3867d57

    SHA512

    d4a57330c6e5bfdf5ebe044f44d04c3da2f225d50eb2146cdf1fd142fb70335f06cad5bdcdf39ba783a635ca82f2366cc3ccff094d4221c07309c7adf0927963