Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 06:22

General

  • Target

    eac050822db1aa99525c558710a10890_JaffaCakes118.exe

  • Size

    292KB

  • MD5

    eac050822db1aa99525c558710a10890

  • SHA1

    f6acbf828316d9715e2f1d6326107bef3608c3da

  • SHA256

    835315b4c0b0f6f2086e1304167bc6d60ef05312bd2ac41591ab58baeaa6e5eb

  • SHA512

    16f7f93a38fe49e46dea4113502c8378a15f6dc03a58d3036f110e681be6f3a27e2e409e9c28488c93ee20fe22ec8128f5d3f98ed8956e1b93c57218a18ca59e

  • SSDEEP

    6144:/bXE9OiTGfhEClq9lPAav5NR1vopNPagyaSl/I6tV/:jU9XiuiOBV0hSxL

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eac050822db1aa99525c558710a10890_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eac050822db1aa99525c558710a10890_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\ololo\test5.bat" "
      2⤵
      • Drops file in Drivers directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\SysWOW64\regedit.exe
        regedit -s snapshot.reg
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2928
    • C:\Program Files (x86)\ololo\i144.exe
      "C:\Program Files (x86)\ololo\i144.exe"
      2⤵
      • Executes dropped EXE
      PID:2764
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:2064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\ololo\3t.jpg

    Filesize

    72KB

    MD5

    8a2afe805d180f87121533fa07e7fa93

    SHA1

    95c9f46aab77859ec575aa1aea22c9c5be7278ae

    SHA256

    aaadbbd06877a7f67129bcbd6f7d1e71f93690a541d5b291cd2e0bcb8b45f048

    SHA512

    ee47100de3bcf43e74d8c54d511d63a8195b2e2bf46e8f27e6bc9f6af6753f753e594f77baaedec5f79289d003b6794be7ddd7e6fe019fd9045fc6b1952a0c73

  • C:\Program Files (x86)\ololo\p.txt

    Filesize

    4B

    MD5

    2f2c42d6bed9cbfed344c08ddd28a554

    SHA1

    c2e366cb09097d46de6695665b647aec6e00437e

    SHA256

    63512f53cc19a54417c287b6dd08939ae77a9301034614782e28ce9e924a9769

    SHA512

    4445d27f501773944239f72f4f5907b1e7c28e3c4a8324d645f739bbb06ba730269eb60dd5540743343146f926711d169a018ca6204e8736ebe7739757338fe3

  • C:\Program Files (x86)\ololo\test5.bat

    Filesize

    34KB

    MD5

    4198fbd64294b2f0f5b7770715caeb5d

    SHA1

    92d7584a042c9a59bdd43aee593250a803c0e6db

    SHA256

    9b12133b28204540cef563d0e8cf20a6a8ebb2e3d91991584ecca2616fc71598

    SHA512

    693791bdc12c3542cd726c4edeb6330f12e4ba1a7eac7f8980d5e356df4de00561a17fd8dd7dfe75879a54723941f6c3e2cfb7325f3661046fb912d7851b3174

  • \Program Files (x86)\ololo\i144.exe

    Filesize

    149KB

    MD5

    a6c35a1d588ba6e856203f63f4bf957f

    SHA1

    ad68bc2bcde52b0b06ad27dc8fe91608b715d8f2

    SHA256

    6aca9bae324d234fb3f9a293035c0a7f9f357553068fd5333662205228f724bf

    SHA512

    881788889c1b000a897cd5b7e890c434e5b423244abff9d3c5a7cd2a9f9205d6f0814ca408563e413214cbf9bddd978024daea86a29255609f3b74e16db25623

  • memory/2064-20-0x00000000001A0000-0x00000000001A2000-memory.dmp

    Filesize

    8KB

  • memory/2064-21-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

  • memory/2064-61-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

  • memory/2536-19-0x0000000003710000-0x0000000003712000-memory.dmp

    Filesize

    8KB

  • memory/2536-38-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

  • memory/2764-41-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB