Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/09/2024, 23:04

General

  • Target

    fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe

  • Size

    1.8MB

  • MD5

    fd5264cc18e3667fc791b47fca75a7ae

  • SHA1

    a38aba26dd142be6aab2605a38e523cd17bc318b

  • SHA256

    cded0d1fb8f8892a03c3e345491b91a6a74d478b15d0b944ee1577d410c445ac

  • SHA512

    0ca8cf9781660f26fdce5b02637146c2f6fe763c3c6dc0f6c807649f987a2fc6026a1bc315fc6bfe25789cf96af60f257c4ce1d19453e07dfdec8b2ea85936b6

  • SSDEEP

    49152:XXLQ2SbDJKQvvwV968vqeyyt4j6p+kW1OMzlij8HVT:XbQPbDJKr/vF+j66ONYHx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 7 IoCs
  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in System32 directory 7 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe"
    1⤵
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Windows\OIIIII.EXE
      "C:\Windows\OIIIII.EXE"
      2⤵
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\SERVER.EXE
        "C:\Windows\SERVER.EXE"
        3⤵
        • Modifies WinLogon for persistence
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:284
        • C:\Windows\SysWOW64\fservice.exe
          C:\Windows\system32\fservice.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2428
          • C:\Windows\services.exe
            C:\Windows\services.exe -XP
            5⤵
            • Modifies WinLogon for persistence
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:764
            • C:\Windows\SysWOW64\NET.exe
              NET STOP srservice
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1684
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 STOP srservice
                7⤵
                • System Location Discovery: System Language Discovery
                PID:492
            • C:\Windows\SysWOW64\NET.exe
              NET STOP navapsvc
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1644
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 STOP navapsvc
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1044
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 572
              6⤵
              • Loads dropped DLL
              • Program crash
              PID:1660
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Windows\SERVER.EXE.bat
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2916
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\GODOFREDO.JPG

    Filesize

    18KB

    MD5

    f3d51d16edc99bf0d78b8bebb03f6fb1

    SHA1

    62a50b6fa9f8cd2876b8c1d45f83e631efcb577e

    SHA256

    d2f3fdfa6f95e24490ec7c8ce7adf6e936e89cbe0ba79e42c85a0ccabded541d

    SHA512

    50b12ac00eec861306a498c3d52433308a8471798ad7509f628201eac07cbe6ca780af8f823e0865e7edc84ed5a15bcdd4027e15a16bc0ff055e597c5270eb6e

  • C:\Windows\OIIIII.EXE

    Filesize

    1.1MB

    MD5

    b84e643b3bbf13bfa6fae155c75d99f1

    SHA1

    8435932b805df10a26b4b8695bd2fd45e4e178e2

    SHA256

    1b9fe9aafe0ab40eeeb70257fdd0f3de9d763c21fa14e1d8f9fcea5a65476a02

    SHA512

    0f630a288cf76fb988d6b54ccebd44c550f77b77f1cf67f52d7e46340206009a4b084cac079a53037258931845e7c7e8ffe0a56b087a9f17d42d4daac39f3a71

  • C:\Windows\SERVER.EXE

    Filesize

    342KB

    MD5

    2d23e6ae050ea09c1031e59421ac606e

    SHA1

    61a88117a4f81ba70a5d4cfe605e2008b6ea224c

    SHA256

    e96793dca35c3418a08a63d7e7b4f65ba1b80dc2c9347f58ce8a53bc479d97d5

    SHA512

    6f50229adf442723a4c3836b5cbcd4f80c5b67897f0a973ea58e3d661c3cea1fd6ee01177401edfecdf25e5b71e91df71e5f8c3146260cc738b47ce16e25f2fb

  • C:\Windows\SERVER.EXE.bat

    Filesize

    83B

    MD5

    fa015dd17dd0ed6c4c19b44179c47aed

    SHA1

    b36624f479515e7190ba7fec0ccf7673ed1914d7

    SHA256

    b4d38f4a07fc0709a4cb4e8e3c3e48deec83e1b4f002b051469b421f1bef7d89

    SHA512

    d1096038e78bd3256eb4f4133d389d659c381a25173acb454dcffc113f1b1895436c72f502eaccd32e43d717aa46046ad65ad92d953f11e449f4a40ab765bb07

  • \Windows\SysWOW64\reginv.dll

    Filesize

    36KB

    MD5

    562e0d01d6571fa2251a1e9f54c6cc69

    SHA1

    83677ad3bc630aa6327253c7b3deffbd4a8ce905

    SHA256

    c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

    SHA512

    166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

  • \Windows\SysWOW64\winkey.dll

    Filesize

    13KB

    MD5

    b4c72da9fd1a0dcb0698b7da97daa0cd

    SHA1

    b25a79e8ea4c723c58caab83aed6ea48de7ed759

    SHA256

    45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f

    SHA512

    f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066

  • memory/284-95-0x0000000000400000-0x00000000005FC000-memory.dmp

    Filesize

    2.0MB

  • memory/284-59-0x0000000003470000-0x000000000366C000-memory.dmp

    Filesize

    2.0MB

  • memory/284-47-0x0000000000400000-0x00000000005FC000-memory.dmp

    Filesize

    2.0MB

  • memory/764-73-0x0000000000400000-0x00000000005FC000-memory.dmp

    Filesize

    2.0MB

  • memory/764-77-0x0000000010000000-0x000000001000B000-memory.dmp

    Filesize

    44KB

  • memory/764-102-0x0000000010000000-0x000000001000B000-memory.dmp

    Filesize

    44KB

  • memory/764-100-0x0000000000400000-0x00000000005FC000-memory.dmp

    Filesize

    2.0MB

  • memory/2428-71-0x00000000033E0000-0x00000000035DC000-memory.dmp

    Filesize

    2.0MB

  • memory/2428-61-0x0000000000400000-0x00000000005FC000-memory.dmp

    Filesize

    2.0MB

  • memory/2428-93-0x0000000000400000-0x00000000005FC000-memory.dmp

    Filesize

    2.0MB

  • memory/2504-26-0x0000000000401000-0x000000000040F000-memory.dmp

    Filesize

    56KB

  • memory/2504-7-0x0000000000400000-0x00000000005D1000-memory.dmp

    Filesize

    1.8MB

  • memory/2504-1-0x0000000000401000-0x000000000040F000-memory.dmp

    Filesize

    56KB

  • memory/2504-25-0x0000000000400000-0x00000000005D1000-memory.dmp

    Filesize

    1.8MB

  • memory/2504-6-0x0000000000400000-0x00000000005D1000-memory.dmp

    Filesize

    1.8MB

  • memory/2504-8-0x00000000050B0000-0x00000000050B2000-memory.dmp

    Filesize

    8KB

  • memory/2504-22-0x00000000050E0000-0x00000000051F4000-memory.dmp

    Filesize

    1.1MB

  • memory/2504-23-0x00000000050E0000-0x00000000051F4000-memory.dmp

    Filesize

    1.1MB

  • memory/2504-0-0x0000000000400000-0x00000000005D1000-memory.dmp

    Filesize

    1.8MB

  • memory/2800-11-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2800-9-0x0000000000160000-0x0000000000162000-memory.dmp

    Filesize

    8KB

  • memory/2800-67-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2884-35-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB

  • memory/2884-44-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB

  • memory/2884-46-0x0000000004AD0000-0x0000000004CCC000-memory.dmp

    Filesize

    2.0MB

  • memory/2884-43-0x0000000000401000-0x000000000040F000-memory.dmp

    Filesize

    56KB

  • memory/2884-36-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB

  • memory/2884-24-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB

  • memory/2884-99-0x0000000004AD0000-0x0000000004CCC000-memory.dmp

    Filesize

    2.0MB

  • memory/2884-30-0x0000000000401000-0x000000000040F000-memory.dmp

    Filesize

    56KB

  • memory/2884-31-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB