Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    102s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    08/09/2024, 05:54

General

  • Target

    d3b0f9c772ed6fb54bfcef61f80ddd2d_JaffaCakes118.exe

  • Size

    84KB

  • MD5

    d3b0f9c772ed6fb54bfcef61f80ddd2d

  • SHA1

    d70fcf763210fa261347f4e658453a4964128682

  • SHA256

    d1fe4471362a04cfffc3ac277535d5d139d48e7f2be0b5e8cb8def758882fac2

  • SHA512

    a94e925d8c58ca97d191641e69a232caebf93ac0ce5c89f27731dfeec0da07b022fe2b507c05c80a906290b584f86c3de7c64a782374cd49720077bcb1e92526

  • SSDEEP

    768:n8mK3Qnw0ZR4+i30xReKIrTgXPA/nL7hymF7frdVlq7BTIsPjBmjHHsvWgU5Q:8N3QQ+i303eKfI/X4mF87esrBmjnsuVQ

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3b0f9c772ed6fb54bfcef61f80ddd2d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d3b0f9c772ed6fb54bfcef61f80ddd2d_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\TMP9660.TMP
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TMP9660.TMP"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:2896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\.bat

    Filesize

    173B

    MD5

    56c03b65d5a97bbc114772172de36849

    SHA1

    84f3598b8d20518dca847b0d2d324131c9b77749

    SHA256

    078dce039e69e9b9418db6e23279445a4e7f7754044fa998e6b20cf549f92b92

    SHA512

    07f9e8df4a677132984507bbf4cca5c202dbd56385e4979d4c7cbf95065e245e2435e93409f0ef2d34e9906b6f05966b662ff2469282eb3c83ae88320c30e1ad

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    09cff09f624bbd76510789ebb03f5c8c

    SHA1

    fe8d366dcc31340142c81de80fb9c801e3e5059f

    SHA256

    0471196b6e84999a8679c72e76b487cc7938529dd315713dd4ad05c86ab49214

    SHA512

    04b79537c8df4a82942ad6802cd6017346bc711b8e8a08ef6d1bebfb6972497d2dedec1cda96ca5b2f6a82df814566cd2acbe179fd46a52f2f5dabfeda817ab7