Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16/09/2024, 22:41

General

  • Target

    e5b1ffd2ecd7e610d07d093d65639da9_JaffaCakes118.dll

  • Size

    498KB

  • MD5

    e5b1ffd2ecd7e610d07d093d65639da9

  • SHA1

    0ed01c2424e6fbfa6650d1c4ffd22b68bb19f9a5

  • SHA256

    066bf4cca227eae7a9e46e65fa518c08673ae7cc19e9563d36a7e4a1325f14af

  • SHA512

    930d36dcfc41415ee872d2f9ef20f7643e93b2dcda5a60b146184df7c7eb548c121fa2b60c0dd9df36a0701c2ee28cbc64725723c288e47ab27f0a3c3a871424

  • SSDEEP

    6144:MmoZkbtQmb25Zh18hqJbDqSB7Lvq2XsjYiVmOf7Yp4jOa9Upx:MmoZkmmCVRtPvq2+d/

Malware Config

Extracted

Family

gozi

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 10 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 24 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5b1ffd2ecd7e610d07d093d65639da9_JaffaCakes118.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5b1ffd2ecd7e610d07d093d65639da9_JaffaCakes118.dll,#1
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2968
        • C:\Users\Admin\AppData\Local\Temp\~A776.tmp
          C:\Users\Admin\AppData\Local\Temp\~A776.tmp
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3008
          • C:\Users\Admin\AppData\Local\Temp\temp.exe
            "C:\Users\Admin\AppData\Local\Temp\temp.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1672
    • C:\Windows\system32\sysprep\sysprep.exe
      "C:\Windows\system32\sysprep\sysprep.exe" "C:\Users\Admin\AppData\Local\Temp\net.exe" "C:\Windows\system32" ""
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Users\Admin\AppData\Local\Temp\net.exe
        "C:\Users\Admin\AppData\Local\Temp\net.exe"
        3⤵
        • Server Software Component: Terminal Services DLL
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        PID:2848
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      2⤵
      • System Location Discovery: System Language Discovery
      • Gathers network information
      PID:1992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\net.exe

    Filesize

    245KB

    MD5

    a0e350787e4134ea91ccb26d17cdf167

    SHA1

    8e7e89865b73424151c148d1341ce5de935c176a

    SHA256

    23f765758b3071fd7f0a36b2040148cf637fd08e6a62fa7d9abf785480673bd0

    SHA512

    89ba5f1e5d5014953f20b19fbcf008ec89d25cbfd63380e267e343b2c9c580a2d88f2e5c5092225947f99bc06bf2270ca28c63e1918093063bc1391aa5028036

  • C:\Users\Admin\AppData\Local\Temp\~A776.tmp

    Filesize

    492KB

    MD5

    b990752f8266d7648070bea7e24d326f

    SHA1

    cc221465dac981f4934fef39d41ddb2e1d26299f

    SHA256

    5b3e07ff6d930392b8749e68a54b1e04062794d1dafff226fb61ba4baf8bbfc6

    SHA512

    8be894f68eaa0f0393ea85fe9008da95c244b2f0f8c157fa0487b22c6d249dd98ce3d21d631792b0dc8109a7f152f336bfab423031c2a724ca2606a716aca613

  • C:\Windows\SysWOW64\dnlist.ini

    Filesize

    60B

    MD5

    8b85f1eaed63f13d1166ae1e6c9f99b3

    SHA1

    a371b5feb47256cff158c0069955f4443a2ed1b5

    SHA256

    cd01a8cc40a88ccd60fe952349077ca238736f3979a6846a357da3b439a543ab

    SHA512

    0a5da969449fe515ddce213621639e6748fd4c6b44e308bd5dddd375840bb49a5c944c4bf2cf5c72e4858e2f976af52235119dee7c6f6e892d5f59381fb9b867

  • C:\Windows\SysWOW64\enumfs.ini

    Filesize

    62B

    MD5

    1cb2bd0b87e183ad83f62f063bed5d97

    SHA1

    9a781b008af6d73ce028a330f27585916b0b8dbf

    SHA256

    8655efa5d1fb64221c84ffd02d9b1fa48f4b9994a15e6e6069af0e7963ef7db7

    SHA512

    125871840f4f9f685799da8fa02ee6fbf2599b367d821f2d15d08a9395492bbd292e47048f40aecdce2ee179b30ce2170f95c36fc6f48e8dc28d5ae421a4c21f

  • C:\Windows\SysWOW64\system_t.dll

    Filesize

    854B

    MD5

    92479c7beb463e01e82d1f82be2915c5

    SHA1

    4c3f7ecf6378c216eafbeabdb5a90347bdf4f647

    SHA256

    c2e6b34b1e9db0ad8154231f5ea49b4e9cdea64b822232e8fd0ad882c8bbc405

    SHA512

    43668f93623905f6d279e06e25b8d1507e51d34b84592bf28aeefec2a68c96405aa7931b6abe7f592636c62bfe390a9fd32a56cb31710c992d87a6eecbe2dab0

  • C:\Windows\system\config_t.dat

    Filesize

    155B

    MD5

    ec9f5e4fca22eb66886fd4465c9253ef

    SHA1

    409f5160da72ff9e31a03b52a2a198163001edca

    SHA256

    6d668b8daed87cb6e4486086af367d2b655c15706d2d0dc1c9ee846dba3b13b2

    SHA512

    acaef1ab8663aa48489cafd3b89d1fc61e43b3078d8caec77b66a89ec1afe4e4201ef2677c7651da1ec4ed408afaeb2d9d2fa265ab6a1cd92891fb872b78d4d3

  • \??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dll

    Filesize

    200KB

    MD5

    150a2c1b800c6370f9c8a3781568ef83

    SHA1

    6cc2aed29b672b7026c0fabd3285984488aaeaf3

    SHA256

    e5f0e0a014e19a8aef99286e6bfd04b7c1258f5a2a5ce2b3ef5d96ec0ac60be3

    SHA512

    54ffa28ccfcfe3f16078a4a7eaf8f9b10718082bbdb5148c0a2219ff556002105e49c3e88605ef11bbab45f0a704777c10195bfbe93179d6d27c616ea7b37538

  • \Users\Admin\AppData\Local\Temp\temp.exe

    Filesize

    86KB

    MD5

    425609a2c35081730982a01d72a76cbe

    SHA1

    64f95fe985a7ef7ee4f396e36279aa31498ac3cc

    SHA256

    e03145fefe7fef82c2a476d7dec03305d7da79cd3c8fe1578177580175febbd3

    SHA512

    6ede1415ac51d588a71bfb5697a599eb777e9530240b7a3524626d2a230bb51017c9b3d05923c5cb41800cca9818f2d99484310390a0425ef8e48984c4c9cfd4

  • memory/1200-13-0x0000000002D20000-0x0000000002D21000-memory.dmp

    Filesize

    4KB

  • memory/1200-19-0x0000000002D70000-0x0000000002D71000-memory.dmp

    Filesize

    4KB

  • memory/1200-35-0x0000000003000000-0x0000000003001000-memory.dmp

    Filesize

    4KB