Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 03:05

General

  • Target

    dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe

  • Size

    184KB

  • MD5

    dd8b1b0b9002f34b6de1ce5795af7044

  • SHA1

    21a258520bc8a5752bd301fdc30246e2d7b09cf1

  • SHA256

    49caadac601106fea44e5865d240e71989b737a27968cf07a585cb6aa7b506d5

  • SHA512

    291cdbd385222f9c5569b00446f2288db97a069c56de0f90bbc6e045d8630132a246dc1ce283350ee101a1e9b01a8e6edf4356b637768a0735d433d3b8bf4d28

  • SSDEEP

    3072:6Xj0wZchwJVqMuS4OX0ggDDIotbJKbkrQa:azZ4wzZuS4OXRmDnbJka

Score
5/10

Malware Config

Signatures

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: RenamesItself 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c run.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3004
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          svchost.exe
          4⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2280
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\reg.vbs"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\reg.vbs

    Filesize

    292B

    MD5

    344f0e480669a6cfd147877470601f46

    SHA1

    64a32bcf575b29267f4d2f1f834ce9cb12640dec

    SHA256

    258def3e3c6d2f23d29a96209218ba58f40dbe644938452dcfc48fd113a7bea6

    SHA512

    cd06b8630ac28b936a041566a85dde8f1c799f3dae952540f8bd07845d81ec3dae2f58b12866c9e5c6fdc5357d2cf181e87e61da641f6b2bea46f6ffaa7ef700

  • C:\Users\Admin\AppData\Local\Temp\run.bat

    Filesize

    11B

    MD5

    d1c56374fff0243832b8696d133b7861

    SHA1

    f4d236fdec2fd03914189c3b26e5cb0dfea9d761

    SHA256

    8e8eab0b4bfdc35c5f238935b81298e43970ee6818e9629d725297ebf03838a6

    SHA512

    e74cbfc425b9779b79dfb6b53dbf3d1451f9f35a766cc5167932b95c9bdb5288b65f9886fbdf3c3b180bf3a8360bfa1ef577b63e3443cae04b49e7ece433c452

  • memory/2280-23-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/2280-22-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/2280-28-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/2376-2-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/2376-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2376-6-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/2376-8-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/2376-12-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB