Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 05:19

General

  • Target

    09124d57a418b3c3fffbb6a215f002d3_JaffaCakes118.exe

  • Size

    20KB

  • MD5

    09124d57a418b3c3fffbb6a215f002d3

  • SHA1

    f2e52c955cdee51ab43cb956c6ad7bfd6613c29d

  • SHA256

    ab2ace673c6a0adc090d38f821fa6e742b489e95cc5157e1544a6ffcea74c1e0

  • SHA512

    5d3c9ecf77b34aeb5acef4ee68f76565f5c693b521c7cdb2d5dd4f05ecc58bbfab597cb3e7f605d17f7819c066cd4ecf813e17ae0afe567ef23bea4a2d71caa8

  • SSDEEP

    192:8R7AXojFG5rCbaNaiLGpKLb2QUFicDswJ+6UCc5v9/1F2sWJ5M8o93C8CcVETGWR:t4jFG6DjpKHGMcDs8Uxnfkq8o9XuiK7

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09124d57a418b3c3fffbb6a215f002d3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\09124d57a418b3c3fffbb6a215f002d3_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Users\Admin\AppData\Local\Temp\csrcs.exe
        "C:\Users\Admin\AppData\Local\Temp\csrcs.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\csrcs.exe

    Filesize

    20KB

    MD5

    09124d57a418b3c3fffbb6a215f002d3

    SHA1

    f2e52c955cdee51ab43cb956c6ad7bfd6613c29d

    SHA256

    ab2ace673c6a0adc090d38f821fa6e742b489e95cc5157e1544a6ffcea74c1e0

    SHA512

    5d3c9ecf77b34aeb5acef4ee68f76565f5c693b521c7cdb2d5dd4f05ecc58bbfab597cb3e7f605d17f7819c066cd4ecf813e17ae0afe567ef23bea4a2d71caa8

  • memory/2168-1-0x0000000000400000-0x0000000000404000-memory.dmp

    Filesize

    16KB

  • memory/2168-0-0x0000000000400000-0x0000000000404000-memory.dmp

    Filesize

    16KB

  • memory/2168-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB