Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/09/2024, 16:06

General

  • Target

    dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe

  • Size

    2.8MB

  • MD5

    dc934a8ebaa131044c6d2cc89a0924db

  • SHA1

    0ed4478358f60deaa99b7b5ca2e5e92f71363e74

  • SHA256

    8ac313b05ef8bf20d88e471ce6128287b76c2309436ca66bf4ddd7707d11e660

  • SHA512

    045439f6f54ee418d955e645762e157021bdc75eaec7db6d29a3eb2f6a347346926659c903f30d84c91754609248386f5492e95424c46c84e580504a805f76ac

  • SSDEEP

    49152:UrTt1IaV9AgZKA5acoIKwg8ydnKCgl+jSVh5APgUzStr:UrB1IaVmgM8accPe+KWCr

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Users\Admin\AppData\Local\isass.exe
      "C:\Users\Admin\AppData\Local\isass.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\setup.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2688
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\setup.bat

    Filesize

    143B

    MD5

    330d9a81f808b287b999c76c1d932ed6

    SHA1

    95146f6f084c39395e2fae892af065e85fddb8d1

    SHA256

    4e2ba5afae8aedfb7664f479ff30667dbabee99f63c922206df98ff56456a03f

    SHA512

    4abd3d3c6b40ae046366604fdfabdc2c97a54cd4c4046452014fb1087353d216b2920650cc2d147fd6c1a79fd7d73d7cd46a8ada0a5c70de70b87b480034e812

  • \Users\Admin\AppData\Local\isass.exe

    Filesize

    537KB

    MD5

    ddd81422a680c7c089af0a939276f71d

    SHA1

    f96327e4c058d5c5717c5916ae9eee8c0bad9092

    SHA256

    74e532beb9e3580c5bb911d1954791a68f33094e19e7674ce9371f1684537b9e

    SHA512

    75109eb9bdd43f3354633704fbb4b073584e8a6ec88ec55db193e38c96468f235b93117beb32168f716cba04dd3485e85b74c14b882d99340e3abab9e9218fb2

  • \Users\Admin\AppData\Local\ntldr.dll

    Filesize

    168KB

    MD5

    6a83a047bf8ef9d04dcc2bb822e424c0

    SHA1

    ce699879cb1120f81dd94e9849e608d66cad1520

    SHA256

    35684a659874eaef5ad758afb9382949722a0bd57624b1f5fe30f05be97cfaee

    SHA512

    cba4d0d16b76657e2f5b9800aad21346fd28095cac7661081f8bf51a9dc677179fe5e37490cbd04641992d6eba81c66719c1b4002466b2d701283bb07184c140

  • memory/944-0-0x0000000000380000-0x0000000000381000-memory.dmp

    Filesize

    4KB

  • memory/944-19-0x0000000000400000-0x00000000006D4000-memory.dmp

    Filesize

    2.8MB

  • memory/2012-12-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2012-17-0x00000000002D0000-0x00000000002FF000-memory.dmp

    Filesize

    188KB

  • memory/2012-28-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2012-30-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2012-29-0x00000000002D0000-0x00000000002FF000-memory.dmp

    Filesize

    188KB