Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    19s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 06:39 UTC

General

  • Target

    eac6a3591dcf8489a54a18fb5fa92b8c_JaffaCakes118.exe

  • Size

    2.1MB

  • MD5

    eac6a3591dcf8489a54a18fb5fa92b8c

  • SHA1

    fe57a970c24d49ae996168baf5e5497a8cd26e1a

  • SHA256

    9635b597491f5d3cb1fa30bb5325a12566efb8f217a9c898bb13e9d9e3e02224

  • SHA512

    0324dc0b04ab3d311f79469faa05b119bc30e3bd248c68a9620768ec6fff1f583f6de42abf80238efa2e9c9df1b63337adc255bc1f0202c5ea5355d8f14100a3

  • SSDEEP

    24576:5Z/gsBHsPLAqp80VMzn9m+Y5CnkXnrmV9/+RcKFFcBgfkKkChmyzTcCeJjAKlxiB:r/g4HsNp8n9wInkw/ShhmyzQWS+

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eac6a3591dcf8489a54a18fb5fa92b8c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eac6a3591dcf8489a54a18fb5fa92b8c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdateApplication.exe
      C:\Users\Admin\AppData\Local\Temp\\WindowsUpdateApplication.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Users\Admin\AppData\Local\Temp\iTV2HwOA\14405.exe
        "C:\Users\Admin\AppData\Local\Temp\iTV2HwOA\14405.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2280

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\iTV2HwOA\14405.exe

    Filesize

    1.2MB

    MD5

    7d5e861227157521ecb0e6ae9f573043

    SHA1

    7a7b66f65ae70d49386a77eea177ddbc6a775c00

    SHA256

    3ada214d162f2019e22c4d1f9ee613a60f9616f6e5c25bd52f0fab683da77897

    SHA512

    7b82274a6e48a40b5e5d0377d2e115372efd187193e6de21efcf76ab7b00036bfef5c547985f452cfff0773b751cf34736d94f592636ce88b51cc22e58eabd7d

  • \Users\Admin\AppData\Local\Temp\WindowsUpdateApplication.exe

    Filesize

    1.3MB

    MD5

    ffbfe221230b32ef116bd262301f15e6

    SHA1

    accafd9ef0d05357a045b8bad6da0e203521e607

    SHA256

    bdb86cd16b95fa7d991996e0a3342e4c8c87854f7f3998b89ea9a28090d06c4c

    SHA512

    97d3d46c28c955b6599a207a5d464e3dbea6b46d5e5acaa1d89e25bfa8217641855bcd9e63669858d128157beb35353b680729fbf27e33b09209acc9dcd3e006

  • memory/2280-18-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

  • memory/2304-8-0x000007FEF662E000-0x000007FEF662F000-memory.dmp

    Filesize

    4KB

  • memory/2304-10-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2304-11-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2304-16-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2380-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

    Filesize

    4KB

  • memory/2380-1-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/2380-2-0x0000000074C90000-0x000000007537E000-memory.dmp

    Filesize

    6.9MB

  • memory/2380-19-0x0000000074C90000-0x000000007537E000-memory.dmp

    Filesize

    6.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.