Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21/09/2024, 04:31

General

  • Target

    ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe

  • Size

    529KB

  • MD5

    ef121dbf59f5486348c3398f4f84cbd1

  • SHA1

    a9caeb05b4c0d8df6ded2972db08407c27b7b9cb

  • SHA256

    2d3960b135fd2036f5f21705148f94e5defac00241c90e5569787bf59bec80f1

  • SHA512

    85ba3745c1f928827b9f7333c541843e25b43431856270eb7403a3a893c24f331512a123b132121a75cdee3279aaaf8299fea341f8e0b5f2786e8c356b9463e9

  • SSDEEP

    12288:9fCCGiEGLUSA0fyPe97Dr7vuU14KuzJxv0:9fIGLUSA0mG/B14Ku/v

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\ProgramData\pE01803ImFpA01803\pE01803ImFpA01803.exe
      "C:\ProgramData\pE01803ImFpA01803\pE01803ImFpA01803.exe" "C:\Users\Admin\AppData\Local\Temp\ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\pE01803ImFpA01803\pE01803ImFpA01803

    Filesize

    192B

    MD5

    9808a76c3e5f470be6c994521252d76d

    SHA1

    84be336ab794ae373627e773f5d18bdf067aaa43

    SHA256

    388b04e757dc5198f1e70662580c1f1519325b71a3fae544b7fd2f20472beee4

    SHA512

    85c8a48152988b7ddb05e3c264bedd10ab23974656e343ca128fbe432992bc666efd4a292ee4e90ec1e773ffe546b5d124a18cef6e561ce3ce6d8cc4ed3c10e8

  • \ProgramData\pE01803ImFpA01803\pE01803ImFpA01803.exe

    Filesize

    529KB

    MD5

    15777eb5b65b39e2578f25279998fa44

    SHA1

    6dfc398657a3b6694e112f2fee44724cee37ee01

    SHA256

    3aaec709243f56553f6816dbed2eae23f3f7b1a300626c90adee06a023dda88a

    SHA512

    18744bd1d8d4f27ddaea0315272496be403ab48da180d21564f81c8557c85b0be42e795bc9282e212b3fb94f8e85c3789de4d05d4a302eac7ab2781f275c47be

  • memory/2480-2-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

  • memory/2480-1-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2480-20-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2480-19-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

  • memory/2652-23-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

  • memory/2652-22-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

  • memory/2652-32-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

  • memory/2652-42-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

  • memory/2652-55-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

  • memory/2652-56-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB