Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    101s
  • max time network
    36s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 05:53

General

  • Target

    eab4ebaf1dcca2b019223a1e354f9aa3_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    eab4ebaf1dcca2b019223a1e354f9aa3

  • SHA1

    178fe0bfaf34665ef337fd3988403dfce4249ba2

  • SHA256

    0091c0b5c287f8d52fe7933ddfdd5e6e12a7b309db39ed2bd8acbc4fc1047c1f

  • SHA512

    181ec1ed218afedfcb9e0ece32627dd847ebeb0e8f33a425b8e9c8007e4e9d109b129b4bcf8b76e078813b0a95e95591257b0b2c18579aa1a0764b91df2d302d

  • SSDEEP

    24576:iSKt+3FNyMEw96rPHMS3u4g/brAqn/4Lu7BI7/hfCSfb:iSK8owkrVbgTcuQLoy74

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eab4ebaf1dcca2b019223a1e354f9aa3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eab4ebaf1dcca2b019223a1e354f9aa3_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\system32\msiexec /i c:\4e1bdeefc76dfc7bc637e5046fcd09\msxml6.msi /l*v C:\Windows\msxml6-KB954459-enu-x86.LOG
      2⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:112
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2ED9DB1754A347AA0029F551E9E1C163 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSI91E5.tmp

    Filesize

    68KB

    MD5

    dad6fcc3436c77a57c912c28250a51f2

    SHA1

    d27192fca955b4fd6e19480f08dcefe96d2b8b42

    SHA256

    47e5051c1bee424e6a35b97d08c7ba1ce64bf9898acb5e4e280cffd4e0daa7ee

    SHA512

    ed3378c67efc65ad41a6fb6f55752a9f5df2fadb32984a76e41bd024b71bce22997774318536a7cd088bfb755b57280850c177d54094a0b97af4711585d772c5

  • \??\c:\4e1bdeefc76dfc7bc637e5046fcd09\msxml6.msi

    Filesize

    1.6MB

    MD5

    cbf07298d25b980ff850fb7eedb84b1c

    SHA1

    f5863519d4a2b56b04f474a7b4d447fcce578ace

    SHA256

    41f1291c9a1cfeb4f1d114ec2653a04611fafca21993d7a71923d2389ab2f35f

    SHA512

    3f5d1628faaaa9b5ecf1624cb3f8417961fcb92682583ffa4a2d1311baa7fd78df8434582158da34f536556e898bc3fe7730493b0213834e0f197d0cad06cb74