Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/09/2024, 13:43

General

  • Target

    efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe

  • Size

    2.8MB

  • MD5

    efeaf61884f24bbeaa102f6e0db825c2

  • SHA1

    f2bbe1945df6d24bacfe26023b755d9bf2aef13a

  • SHA256

    570610d2f1528a084e353bd021555828071bfb53dd468cf2f3c4376de4a907e3

  • SHA512

    e23830729108830ee38cfe3cb35ddcc6de40bc28df9de439591b361d29722819ca09960c33e0782055225a18025241d805fe45c7f39d0a83cdad5bc8613f6c53

  • SSDEEP

    49152:F/mU3ZPXAC0yRsjssRnFPCoz1rYZe0JKKyJkuDNZfjLu37sPV1shP7qbkz7F:FOYZPQOKSSYZlJEhZf87hD1p

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 4 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Users\Admin\AppData\Local\Temp\KDMADV
      "C:\Users\Admin\AppData\Local\Temp\KDMADV"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Program Files (x86)\Winrar\uninstall.exe
        "C:\Program Files (x86)\Winrar\uninstall.exe" /setup /s
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:1124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Winrar\Rar.txt

    Filesize

    79KB

    MD5

    02895529cf23198acc7a4b5e49ce9f4b

    SHA1

    b9a871086b8aafa46b26cb538bc2fef796b2dbdb

    SHA256

    3cecdd7b52cb758265ff3212c753e559f2805a1aea83c52b160e051a172b2434

    SHA512

    cd85593d0e3dbe9ef8e4a90f8282e95f02bd1b0262543ceb07200814a7127810b7ba9bb22b460195ac1258d90d3d1ff9d1c4d434c785c68b2afe8074c8c72a63

  • C:\Program Files (x86)\Winrar\WinRAR.exe

    Filesize

    946KB

    MD5

    1191d84c20f70bb4d84ae689e3e57f07

    SHA1

    1ba1d6d6a3d66cf9472df63434ec7ca17ac3d951

    SHA256

    c075e812f293f1dcfce5dc4f8bcf3cd42f8a526deb9251c9af27726a85e969e2

    SHA512

    13660b8060c0cbd3fe7c7eb6677c058266e8a8658dd66a01c01300f75bb3cd14abf0f97375b3a1242904954255e1639bd6f2d0cace51899eac5ac9bea88ea16e

  • C:\Program Files (x86)\Winrar\uninstall.lng

    Filesize

    3KB

    MD5

    e03e107021c4e5b5a3bb87858aaabce3

    SHA1

    6d0251244b74e9fbe1358cd10936735a4eda1d82

    SHA256

    358fe6ea647eab82e3b2282b234c2a44fd5912067e51d1ef0f0c739d37f3ecb7

    SHA512

    e51857ae5d9d25f02d1789fdde3607124e981ccbda2c4372089bb915224849fb2a2b9aad129c33f134d14283d29f81eb52716d350463dcf169c4ba78d5d22dfb

  • C:\Users\Admin\AppData\Local\Temp\KDMADV

    Filesize

    2.7MB

    MD5

    0205797fc7e324f9c76dc0cea939ef7c

    SHA1

    29d3f0677e307c53c2e7ec4b6387c6578a867f6d

    SHA256

    cb81891482eb031146f8c3b41915145eb90ccc2506b91e8bd311ca2af722d465

    SHA512

    668b58415d6d8ba2fa3bda59ef529b29c67b415289dac9afebf2f6fcc25c37a67c9ae94443e4f1ca89692bf5724fb794e49739737dbf24aee064482fc795487b

  • C:\Users\Admin\AppData\Roaming\Microsoft\NRCXZEHQY.exe

    Filesize

    102KB

    MD5

    78b36b9806bb69ea0b6f19290e75f382

    SHA1

    324ab16611cd6dfc44d21eb35fc56fa06bd6fd26

    SHA256

    70b1df6c46f61e09a04eac922f7adc436b5c8fd40fc14d3fc0fbcd11a3151e49

    SHA512

    45f89fb8ece46cf86568eee95da1ae6880c21c5d60f3666010dba6020d7251ce887542a911d42e006c24b3c9269ebd97511142e4fecfbfd99edbf2e2a960ee81

  • \Program Files (x86)\Winrar\Uninstall.exe

    Filesize

    98KB

    MD5

    3e20c4b85982e3cbd7655659a6800fc7

    SHA1

    c47a37416ac19089e8cbfd1b7bfc397d3f51fc51

    SHA256

    88b1f1f7cbf71d539908a91359264cc7a78f786db33447af5b0bd35f33f82833

    SHA512

    c0bf182c80a715602674f2771bfea4af2ff31182d0dcbce1f9fd70a829134eb2226e6614e9b40a3f33646e499f421ed6e5157f0fd1b8418f4430496e3ef4c2ff

  • memory/1124-146-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2108-24-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

  • memory/2108-133-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

  • memory/2420-23-0x0000000002690000-0x00000000026B7000-memory.dmp

    Filesize

    156KB

  • memory/2420-147-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB