Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/09/2024, 10:27

General

  • Target

    fe54dcd188f3ca6134453bf87d1c9eb6_JaffaCakes118.exe

  • Size

    23KB

  • MD5

    fe54dcd188f3ca6134453bf87d1c9eb6

  • SHA1

    e153cedbb211eac0c58b9e0ed852640c2d1520d9

  • SHA256

    4f08092345548098e3c380b536c34ff9c769145348e63b8814d8abb709e6d543

  • SHA512

    9332b0798e92842b2fbd454b8bcbdbb1f8390046cf0942812a75a9532a0f0250d059524b284d944f9f71e3d119a209912eaff5505eaad6630ddb85d356983ed5

  • SSDEEP

    384:Svpk++eqMCd1szbebQIDGE1VL1sAygk6Xt1T4OMOWqkwuvswjTer2h:Ki+Rqjd1szbeboEXfd1T4ZOjkvsOeW

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe54dcd188f3ca6134453bf87d1c9eb6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fe54dcd188f3ca6134453bf87d1c9eb6_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Program Files\FileFly\Intenat.exe
      "C:\Program Files\FileFly\Intenat.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:2152
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c Del.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Del.bat

    Filesize

    304B

    MD5

    71118a8d7645ed5059cdfd1aff091d47

    SHA1

    2b74c85590542adc37e12dda5afc805609c67fd1

    SHA256

    882089591d164845cdabf354103f31982d27537e238e52a83917e4ccbb16afed

    SHA512

    b1cf86604e9e8324dbac76f6a93d7bd584aaec91528c2183bd2230b051cdf888e01779300093aeb7c0f22f501b9faaf983b990386d21bceed9d35c1ebc46d469

  • \Program Files\FileFly\Intenat.exe

    Filesize

    23KB

    MD5

    fe54dcd188f3ca6134453bf87d1c9eb6

    SHA1

    e153cedbb211eac0c58b9e0ed852640c2d1520d9

    SHA256

    4f08092345548098e3c380b536c34ff9c769145348e63b8814d8abb709e6d543

    SHA512

    9332b0798e92842b2fbd454b8bcbdbb1f8390046cf0942812a75a9532a0f0250d059524b284d944f9f71e3d119a209912eaff5505eaad6630ddb85d356983ed5

  • memory/2152-11-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/2196-10-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/2196-23-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB