Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    70s
  • max time network
    76s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/09/2024, 14:38

General

  • Target

    febce9dd232edef84421fddcced6333c_JaffaCakes118.exe

  • Size

    348KB

  • MD5

    febce9dd232edef84421fddcced6333c

  • SHA1

    e0d243d149472ad327a632437646a23dc255b9ad

  • SHA256

    66e30e36ce6fdcc08145b3397f6d16b68d7982467dff0358df205f225429bc24

  • SHA512

    fe7a861940003fd0c122b07aa9bf1dedad449f4997e4c7b756c480753a791026e5600de1472b1afd94c9c863048a81f9592f76ed651537c6a73e961d19bd76f8

  • SSDEEP

    6144:k7DDeAlkoCGv2Uso35Uo2lQQ0GLSja8h8rUY0FFNyLlgQ/jI61UCz3yJhVN7wzrb:EDDGRslHGDzSjaCrNypjJOAKh0zrb

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\febce9dd232edef84421fddcced6333c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\febce9dd232edef84421fddcced6333c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:664
    • \??\c:\users\admin\appdata\roaming\microsoft\internet explorer\report.exe
      "c:\users\admin\appdata\roaming\microsoft\internet explorer\report.exe"
      2⤵
      • Drops file in Drivers directory
      • Looks for VMWare Tools registry key
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="report" dir=in action=allow program="c:\users\admin\appdata\roaming\microsoft\internet explorer\report.exe"
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2972
      • C:\Windows\SysWOW64\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" path win32_terminalservicesetting where (__Class!="") call setallowtsconnections 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\worklog0

    Filesize

    4KB

    MD5

    b32bb2e62ec0b79ef3e3ad3e40b6384d

    SHA1

    6e2e0d857aec049b7156fdfdd0a9c4e40bda3b3d

    SHA256

    adca24b27416bf3ffa0333e182fe5c1e825ea23304683efbc5e6099cbe7e7396

    SHA512

    0b37ac8d9ceb89bcd7ae5a98aaa49c907c341e777389463142bee05acf4bc3e5a558f482c93a1dbfc2ce57e8fe3472b880fef75a5ec2eb74b65f4e851177d6d0

  • \Users\Admin\AppData\Local\Temp\report.dll

    Filesize

    228KB

    MD5

    e433e1a3fd09fd0d3925b0579b3a4583

    SHA1

    12e539623e9ec089c4167b8aaa8216db53795187

    SHA256

    dedd653b6d4131a7549378e69d792de1963bd608aa62847bb1959a41c6d9caeb

    SHA512

    0bc2f06baeec1f4993f1a2500ab87693a6e01342793b5ee87907cd8234104454557d097b5f6f3b1ec11849e8f81897eb3c8eed580acae87d248b02bde720f557

  • \Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\report.exe

    Filesize

    348KB

    MD5

    febce9dd232edef84421fddcced6333c

    SHA1

    e0d243d149472ad327a632437646a23dc255b9ad

    SHA256

    66e30e36ce6fdcc08145b3397f6d16b68d7982467dff0358df205f225429bc24

    SHA512

    fe7a861940003fd0c122b07aa9bf1dedad449f4997e4c7b756c480753a791026e5600de1472b1afd94c9c863048a81f9592f76ed651537c6a73e961d19bd76f8

  • memory/664-1-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/664-10-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/664-0-0x00000000001B0000-0x00000000001B2000-memory.dmp

    Filesize

    8KB

  • memory/2416-32-0x0000000001D20000-0x0000000001D3D000-memory.dmp

    Filesize

    116KB

  • memory/2416-47-0x00000000034C0000-0x00000000034CA000-memory.dmp

    Filesize

    40KB

  • memory/2416-22-0x00000000003B0000-0x00000000003EA000-memory.dmp

    Filesize

    232KB

  • memory/2416-24-0x00000000003B0000-0x00000000003EA000-memory.dmp

    Filesize

    232KB

  • memory/2416-13-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2416-41-0x0000000001D20000-0x0000000001D3D000-memory.dmp

    Filesize

    116KB

  • memory/2416-50-0x00000000034C0000-0x00000000034CA000-memory.dmp

    Filesize

    40KB

  • memory/2416-17-0x00000000003B0000-0x00000000003EA000-memory.dmp

    Filesize

    232KB

  • memory/2416-53-0x00000000034D0000-0x00000000034DA000-memory.dmp

    Filesize

    40KB

  • memory/2416-58-0x00000000034D0000-0x00000000034DA000-memory.dmp

    Filesize

    40KB

  • memory/2416-59-0x00000000034D0000-0x00000000034DA000-memory.dmp

    Filesize

    40KB

  • memory/2416-63-0x0000000003B30000-0x0000000003B45000-memory.dmp

    Filesize

    84KB

  • memory/2416-73-0x00000000039F0000-0x00000000039F9000-memory.dmp

    Filesize

    36KB

  • memory/2416-81-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2416-12-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB