Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 04:19

General

  • Target

    f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe

  • Size

    11.0MB

  • MD5

    f52a8823fc92aeb456f50df7da8c9dd6

  • SHA1

    1bc7a25a01e3cf95633cc83d946e642f46d36fb7

  • SHA256

    c8cf169897093d492b462e8bfc6cf549568d42886cede23c070555beedc6269d

  • SHA512

    23f141155dfa4801956afd63c34e0d9c267ef820f05b1c212a3297b41bd4a5faef5b67f73dcaf5915b230529ff556e9faa2960e92317ff3af3fa979773007e3d

  • SSDEEP

    98304:PCYkkAjcg5NBKO3dgq4+DGEvQPAGyrodP8VP4MW6yLO239bxU:PH45NBKO3dW/FCrodP6P4MOLO2

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 10 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Users\Admin\AppData\Local\TMP2584.exe
      C:\Users\Admin\AppData\Local\TMP2584.exe pth:C:\Users\Admin\AppData\Local\Temp\f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Users\Admin\AppData\Local\Temp\TMP1001.tmp
        C:\Users\Admin\AppData\Local\Temp\TMP1001.tmp C:\Users\Admin\AppData\Local\Temp\f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Users\Admin\AppData\Local\Temp\TMP9110.TMP
          C:\Users\Admin\AppData\Local\Temp\TMP9110.TMP
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          PID:2704
        • C:\Users\Admin\AppData\Local\Temp\TMP9660.TMP
          C:\Users\Admin\AppData\Local\Temp\TMP9660.TMP
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2772
          • C:\WINDOWS\NETCONFIG.EXE
            C:\WINDOWS\NETCONFIG.EXE t
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:692
            • C:\WINDOWS\SysWOW64\YPAGER.EXE
              C:\WINDOWS\SYSTEM32\YPAGER.EXE t
              6⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:1992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TMP011.tmp

    Filesize

    768B

    MD5

    81010dd57e7f38595d91ce8707e452dd

    SHA1

    8811dedc9e0f72ca7b071f522edbd48d6d27bfed

    SHA256

    f2d4e45fa0ebd3e824e528af354d6d1d0a97817702e1052e405ebbfd1973eefe

    SHA512

    67ca1dc018986f714ffdcbc61733973c250f5a1281eac9574ad58eb88d61344530ffa16553526470395a125e8bba1349a5fb5a803a1ef8ab83f5315b24014cba

  • C:\Users\Admin\AppData\Local\Temp\TMP9660.TMP

    Filesize

    28KB

    MD5

    63b67601532b24151c39d1b6ef131d52

    SHA1

    1a85634027bbceddc598295154f0310c3f648c0f

    SHA256

    c7956a8f024c515fb031e061007e904125fffc5fcd5ede27f5e8efa764f523d5

    SHA512

    65c6c6b0325b1e3eda11a078714115842034cd596830da29a5b33a217eb8d8a645c82483f39b10825992c4bfa4d54413ab954e82cc30a885641fba0ed5db6527

  • \Users\Admin\AppData\Local\TMP2584.exe

    Filesize

    10.9MB

    MD5

    7e6f3fe40408d1caa99ce4a725764686

    SHA1

    22d5307f2a686d71eb1a8f36437c8dd65e425f79

    SHA256

    60768a80ab229d40ca3a7f2854ae082492744da6e8df1ae1a31919fa05f4c65a

    SHA512

    4b2b1b8404ba0c8194c762c790572ae66115f9413e50bce6461a2e599ec628caa64cfbaddba2de2c4e019f36337e2974a9f29d9b4060f7f993f1d2acc2ffe4ea

  • \Users\Admin\AppData\Local\Temp\TMP9110.TMP

    Filesize

    10.9MB

    MD5

    08f13823a350561d9864b269f0552c5a

    SHA1

    4a9e30c8a2a1ebd86fe7c8e35b878cee5920c49e

    SHA256

    b3306409ecbb3ea2eaaff453a5b8441a1c22b1d42651eb0fade931e3ff574cf5

    SHA512

    dda3a0bb2cfdbab8f39bb29e975a20dd4d946ff413e540b49507d73a44ab1b708d4fb46d0f9743db7430a083019fdf3748ece466d1a5ab4035e4dafbb742ddf1

  • memory/692-81-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/1376-85-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/1992-82-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/2704-33-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/2704-87-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/2704-86-0x0000000000400000-0x0000000000EF1000-memory.dmp

    Filesize

    10.9MB

  • memory/2772-83-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/2840-84-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB