Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    12/09/2024, 20:56

General

  • Target

    dd093f1f60c7c41bc1269520d573978b_JaffaCakes118.exe

  • Size

    9KB

  • MD5

    dd093f1f60c7c41bc1269520d573978b

  • SHA1

    77875d454160d210d3141e42ea0451a977b2de34

  • SHA256

    176d02977470034934512a168c058e3cfd7c5bbe972a81de7e6344ef8793f2b0

  • SHA512

    f7db86fe31dad316c9a7cacd62c27612524fcdecda4b7552fcd373a722de81a5042d19e422b7cb5d3908278cf154dcde147cf5ef31a04bf4cfd6e7e4b4f80c94

  • SSDEEP

    192:hZKB1E1MUtqavIdGkrDV++YQ9FaNJhLkwcud2DH9VwGfct8WF/3I:ho1E1MUtqHdzDwQLaNJawcudoD7U/F/Y

Malware Config

Extracted

Family

gozi

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd093f1f60c7c41bc1269520d573978b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dd093f1f60c7c41bc1269520d573978b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Users\Admin\AppData\Local\Temp\2646.tmp\b2e.exe
      "C:\Users\Admin\AppData\Local\Temp\2646.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2646.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\dd093f1f60c7c41bc1269520d573978b_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\26B3.tmp\batchfile.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\26B3.tmp\batchfile.bat

    Filesize

    2KB

    MD5

    1987e75d78b81e993191e33471a1bf65

    SHA1

    f023bac3e869953e0a8f78eecbd66a9e331e1f75

    SHA256

    239418fdff34d469f7c7e4bfca37575af889edec76cf0d506616ecfc63243b6b

    SHA512

    7e21ce5bfc1ce565d4db9d4236401dd800571bffba2f71cc1c76ab4485b2fdb98774ee4dbce8142da39edcef1e5fa860c30672e1057717db6b9c63bfe9460030

  • \Users\Admin\AppData\Local\Temp\2646.tmp\b2e.exe

    Filesize

    10KB

    MD5

    c470392f7aee32c5b054c055a9944699

    SHA1

    2d9d6c1565f6008cd20f64f7a92c2ea72d5714b4

    SHA256

    b686f257c024d1cb437cca886df536a06c10d203fdc2f011f6bddb569201cc45

    SHA512

    0c7a4fcea7e492368bef674bc9d953182dbbe497dc48430951fb3ae52000090e9f3921feadfd86eded5bd9f07652f147d7eec41b81925ac2ccc40c05cdc6598d

  • memory/2720-0-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/2720-5-0x0000000000250000-0x0000000000255000-memory.dmp

    Filesize

    20KB

  • memory/2720-7-0x0000000000250000-0x0000000000255000-memory.dmp

    Filesize

    20KB

  • memory/2720-13-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/2828-14-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/2828-31-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB