Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30/09/2024, 08:33

General

  • Target

    0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe

  • Size

    98KB

  • MD5

    0067a831f19e162fd8b2fdafadae56ad

  • SHA1

    d2df95ef453237d32e51f83f67e43c6b8db56c8a

  • SHA256

    fc4d978dc7821f491b7e52b5d4e3fa5ba39a39f3437e8cf5fa4d273831689782

  • SHA512

    ceffb611d134b7b5ca60758a445a6f2c79d6c7232382cdfef15ea4484a7401ec25052539d825490fce94832e1fa9a93927d63ceb04316319d6d89102b1004723

  • SSDEEP

    1536:igYPhQXwIiPrrjThO+lUBrzCxry1ec7rUyj239au7538iJkZX/4p0N26:FYP2XerzhOUxu/XUtauF8iJkZP4ps

Score
4/10

Malware Config

Signatures

  • Drops file in Program Files directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 38 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files\WindWare\tb.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C .\tb.cmd
        3⤵
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2324
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}" /v "InfoTip" /t REG_SZ /d "╠╘▒ª╣║╬∩╠╪╝█╙┼╗▌╟°" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2724
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}" /v "LocalizedString" /t REG_SZ /d "╠╘▒ª-╣║╬∩" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2760
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2764
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "C:\Program Files\Internet Explorer\iedw.ico" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2852
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2868
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2872
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2876
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2888
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell" /ve /t REG_SZ /d "╠╘▒ª-╣║╬∩(&H)" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2768
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2740
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:3008
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2816
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/go/taobao.htm" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2820
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2620
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2804
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:3004
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2900
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\WindWare\Internet Exploror.lnk

    Filesize

    104B

    MD5

    b6090a24bad18a0205bb215cb1fd42e6

    SHA1

    da56e637a186333e1fa8401b9600e9efcadbe86b

    SHA256

    5cf73d8ba3a6656e804041884cefc0148c3ef80fd4b8633a6647a033082f15f8

    SHA512

    4ca8a5cd200eaf8d8a023c47e7a279e41279c045bf567b81f95e93ca25d5a51dec2786de98efa5b907ec5633c8400e497f6bcaf636d4591d7c42e21ec3039ad4

  • C:\Program Files\WindWare\iedw.ico

    Filesize

    14KB

    MD5

    468fada123f5548ac87e57bae81f6782

    SHA1

    edb8f012c25906e6afd8bf335b495e16c440243d

    SHA256

    091c882bb307d57f2c7c42309e7ba8740130fef8c3ed772b0bc5e5505e37034d

    SHA512

    635ec26c88c2394dd4f2a81b9aea8f429a91adfeb37ae34e51b03f3cf8e503c123c3685938f40cea07d6146e0c7113aadbe62fa528f1f6d8b995e617fd68a4aa

  • C:\Program Files\WindWare\tb.cmd

    Filesize

    2KB

    MD5

    4b8b392ac99df4d6f2239666eed11fa1

    SHA1

    27984247b633823df077b190e5ec5317a539698d

    SHA256

    6a0861f8cc7c16a931bb80ec8b270bd5e9081bdcd04f981a44238ee8e4a257a0

    SHA512

    f69762846470bd711b89c59429dd68812de9ff8828237f9c61283770f90c8f9bbe1c2c539f429cc0308832816ac3368b5925032103f3ae1e94b24247fc64ba3c

  • C:\Program Files\WindWare\tb.vbs

    Filesize

    126B

    MD5

    633a419fc58b7353d6eaef683fe1fca1

    SHA1

    5ece6a3d396e1888c5c051b12411537e3957aee1

    SHA256

    786068fda43174b1dc28073d1d0861aeb06debe26b2a6a9453680976f0433d2b

    SHA512

    f209583d2e0b9392a49c6f276be1f91cc4f719ae5284b72971e5ca2dd7bb1759fd59873ddba7ebf200944dd9855ee49c9528fe906efa8d9e0c9adad677457b50