Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    19s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 06:39

General

  • Target

    eac6a3591dcf8489a54a18fb5fa92b8c_JaffaCakes118.exe

  • Size

    2.1MB

  • MD5

    eac6a3591dcf8489a54a18fb5fa92b8c

  • SHA1

    fe57a970c24d49ae996168baf5e5497a8cd26e1a

  • SHA256

    9635b597491f5d3cb1fa30bb5325a12566efb8f217a9c898bb13e9d9e3e02224

  • SHA512

    0324dc0b04ab3d311f79469faa05b119bc30e3bd248c68a9620768ec6fff1f583f6de42abf80238efa2e9c9df1b63337adc255bc1f0202c5ea5355d8f14100a3

  • SSDEEP

    24576:5Z/gsBHsPLAqp80VMzn9m+Y5CnkXnrmV9/+RcKFFcBgfkKkChmyzTcCeJjAKlxiB:r/g4HsNp8n9wInkw/ShhmyzQWS+

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eac6a3591dcf8489a54a18fb5fa92b8c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eac6a3591dcf8489a54a18fb5fa92b8c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdateApplication.exe
      C:\Users\Admin\AppData\Local\Temp\\WindowsUpdateApplication.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Users\Admin\AppData\Local\Temp\iTV2HwOA\14405.exe
        "C:\Users\Admin\AppData\Local\Temp\iTV2HwOA\14405.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2280

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\iTV2HwOA\14405.exe

    Filesize

    1.2MB

    MD5

    7d5e861227157521ecb0e6ae9f573043

    SHA1

    7a7b66f65ae70d49386a77eea177ddbc6a775c00

    SHA256

    3ada214d162f2019e22c4d1f9ee613a60f9616f6e5c25bd52f0fab683da77897

    SHA512

    7b82274a6e48a40b5e5d0377d2e115372efd187193e6de21efcf76ab7b00036bfef5c547985f452cfff0773b751cf34736d94f592636ce88b51cc22e58eabd7d

  • \Users\Admin\AppData\Local\Temp\WindowsUpdateApplication.exe

    Filesize

    1.3MB

    MD5

    ffbfe221230b32ef116bd262301f15e6

    SHA1

    accafd9ef0d05357a045b8bad6da0e203521e607

    SHA256

    bdb86cd16b95fa7d991996e0a3342e4c8c87854f7f3998b89ea9a28090d06c4c

    SHA512

    97d3d46c28c955b6599a207a5d464e3dbea6b46d5e5acaa1d89e25bfa8217641855bcd9e63669858d128157beb35353b680729fbf27e33b09209acc9dcd3e006

  • memory/2280-18-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

  • memory/2304-8-0x000007FEF662E000-0x000007FEF662F000-memory.dmp

    Filesize

    4KB

  • memory/2304-10-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2304-11-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2304-16-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2380-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

    Filesize

    4KB

  • memory/2380-1-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/2380-2-0x0000000074C90000-0x000000007537E000-memory.dmp

    Filesize

    6.9MB

  • memory/2380-19-0x0000000074C90000-0x000000007537E000-memory.dmp

    Filesize

    6.9MB