Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/09/2024, 17:16

General

  • Target

    d6c6359592a83e5da9946e1ab11476ee_JaffaCakes118.exe

  • Size

    135KB

  • MD5

    d6c6359592a83e5da9946e1ab11476ee

  • SHA1

    b6a8e9f610e235754c5372476fc178b52423fe3c

  • SHA256

    6f01fdc45dd5cfa5fcc02cf8e9f819979a7653f0e0704aa6dfb90e58f17b0a22

  • SHA512

    c56ab5df22338de2380a5f6aa29d4db7fbca29ea6bd6cb16059acfcae11d979a8b2e024bacd426f00a11a79a0cf7add6441240d1a611958023aa06efe1855ca8

  • SSDEEP

    3072:e97HgvA7LsCiud4wqApzWh6rfEqeMy9Iout:27Hgv2IfuN7pjE79IoS

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6c6359592a83e5da9946e1ab11476ee_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d6c6359592a83e5da9946e1ab11476ee_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\SysWOW64\proxysvc32.exe
      C:\Windows\system32\proxysvc32.exe 500 "C:\Users\Admin\AppData\Local\Temp\d6c6359592a83e5da9946e1ab11476ee_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\del.bat C:\Windows\SysWOW64\proxysvc32.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\del.bat

    Filesize

    136B

    MD5

    bfcf9cc6d1c37953dfa43312e2c36140

    SHA1

    07a4c0f29b282c34be24c312c4b920e479f4cee0

    SHA256

    bac7cce52aeba3a2e2ce2bb6aebf50ffa65530d0d51ca49a2abc7f4e43ce3ce5

    SHA512

    fb661474557e7168d4050607863b57649fa12a26ab9bd06078ae3254d003d76cfed4eac3d0a78a56eaf0ecc5b231d52788b6c8688cb14b0c86a37efe90f5f53a

  • \Windows\SysWOW64\proxysvc32.exe

    Filesize

    135KB

    MD5

    d6c6359592a83e5da9946e1ab11476ee

    SHA1

    b6a8e9f610e235754c5372476fc178b52423fe3c

    SHA256

    6f01fdc45dd5cfa5fcc02cf8e9f819979a7653f0e0704aa6dfb90e58f17b0a22

    SHA512

    c56ab5df22338de2380a5f6aa29d4db7fbca29ea6bd6cb16059acfcae11d979a8b2e024bacd426f00a11a79a0cf7add6441240d1a611958023aa06efe1855ca8

  • memory/2100-0-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/2100-12-0x0000000002500000-0x000000000259F000-memory.dmp

    Filesize

    636KB

  • memory/2100-11-0x0000000002500000-0x000000000259F000-memory.dmp

    Filesize

    636KB

  • memory/2100-15-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/2544-13-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/2544-17-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/2544-20-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB