Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/09/2024, 01:10

General

  • Target

    d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe

  • Size

    578KB

  • MD5

    d334ea90cbebc979ab607ff4b08aabe2

  • SHA1

    fda1e4b0f7460806edf5f405b08af2618be5db0d

  • SHA256

    3f854ce008a01984333c517f9c04f8c6ec9dd12fa2d4e1bd72c73409220ee47b

  • SHA512

    86c9557efea35498e1d32221e0306c21da70432fe2e32fcddeb1ee9927eb754b3104932a9928f5d4a1cf5e24a4dbbf55aaefd051a6dc67b4e6992749e0a99c28

  • SSDEEP

    12288:WybTTsjZIs4nPRENOO4uBojmG7H1CjAjG7bca31+MSwvNmqfc1K0yi:WybTAipD32wj0ounUcvNMU0

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Use of msiexec (install) with remote resource 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Users\Admin\AppData\Local\Temp\Ins8315.tmpinstall.exe
      "C:\Users\Admin\AppData\Local\Temp\Ins8315.tmpinstall.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Windows\SysWOW64\MSIEXEC.EXE
        MSIEXEC.EXE /i "https://flshmonte.cntntdnfiles.eu/client/pkgs/coolcat/Cool Cat Casino20200129033801.msi" DDC_DID=9385578 DDC_RTGURL=http://www.cdnfile.eu/dl/TrackSetup/TrackSetup.aspx?DID=9385578 DDC_DOWNLOAD_AFFID=14227 DDC_UPDATESTATUSURL=http://190.4.94.37:8080/coolcat/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.94.37:8080/coolcat/Lobby.WebSite/SignUpUnsecure.aspx CUSTOMNAME02=trackingID CUSTOMVALUE02=CCC83c4ecc76b83e6df007e9289eb26463f SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="Ins8315.tmpinstall.exe"
        3⤵
        • Use of msiexec (install) with remote resource
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_is85D8.tmp

    Filesize

    1KB

    MD5

    5f75ae6d0fe628bd5320e3b619dd2ae5

    SHA1

    2b13647d3640a16f245d398885b677f97e0b11e8

    SHA256

    2d6985a0d00108fa102f5446225614dc150519668e7a7aed707dffaebd85cbe8

    SHA512

    c13235094ac0708cdb4a1f26042540854fe3ee935b02518c70ca01819b60509db75b30230afbf659fea76a2604c7e48d5cf5fe803a25ef61cb7a60f80551a3d7

  • C:\Users\Admin\AppData\Local\Temp\{E5A09684-6F9C-4D0A-9103-CBB28774DDF4}\0x0409.ini

    Filesize

    21KB

    MD5

    be345d0260ae12c5f2f337b17e07c217

    SHA1

    0976ba0982fe34f1c35a0974f6178e15c238ed7b

    SHA256

    e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

    SHA512

    77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

  • C:\Users\Admin\AppData\Local\Temp\{E5A09684-6F9C-4D0A-9103-CBB28774DDF4}\_ISMSIDEL.INI

    Filesize

    20B

    MD5

    db9af7503f195df96593ac42d5519075

    SHA1

    1b487531bad10f77750b8a50aca48593379e5f56

    SHA256

    0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

    SHA512

    6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

  • C:\Users\Admin\AppData\Local\Temp\~85D5.tmp

    Filesize

    5KB

    MD5

    0a6ba72b9789f4089285981753328492

    SHA1

    844ffa367c2ea0f092dc0163c6917f29727001cd

    SHA256

    daa522079e132d69ff0e971a35f4147f936a8237be9591076398e8e7036064b6

    SHA512

    26c00421c1073eddc0b4f8ab1810b12014603d39ea2e8dda67c57b3fe71ffba1e8eed72cdecb5bac9a7d2fe3ac57c1833edd61f1cf467cca4e008e549f701078

  • \Users\Admin\AppData\Local\Temp\Ins8315.tmpinstall.exe

    Filesize

    1.2MB

    MD5

    4630c542fd8d8aaeaf1e23a355014f8c

    SHA1

    e63be2f709e5ae112bea8a5d655042592e39ec2d

    SHA256

    edcec4c9ab0a1878b502e5da78328ba4a1e863cffcf74fc0d7181c6226aea2f1

    SHA512

    1904cf351e93295eba00757197e1bfddbc8a62a318d53dc3cbeaa89c93a57f0522a22defd3ca612016aadab9d2db09eed1a5b38e653dfbb9fbff79e531b47ebd