Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 13:02

General

  • Target

    0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe

  • Size

    1.7MB

  • MD5

    0acba0ac120021257125a88dbc2cdd50

  • SHA1

    99b7514d72734db709c489604f6d30ee5ffff463

  • SHA256

    d93bdd46966fc445cbd034548bdbb547ea4e499a7ac0eb0db04b76b13bf04fd9

  • SHA512

    4314c323d3d7743970bf8477d827ee6a8a3c51cd839b2fdf28eef4e34a73efd04687e2b0a82031e08165232113c2ce0828daa537ebbc1a8766d1c7305f97158c

  • SSDEEP

    49152:OZhpafFU8w7Yy2g8+vkJSk1mUlE4M8z4wNCW:Or8f68w7d2P+uSsmUltmwY

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\SysWOW64\AMFOLL\STO.exe
      "C:\Windows\system32\AMFOLL\STO.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AMFOLL\STO.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\AMFOLL\AKV.exe

    Filesize

    513KB

    MD5

    1c95c9f7854cb32731f65e0f234c6e31

    SHA1

    21418b452de2fc68fadcafa6db8e5dfcedbb0a8a

    SHA256

    8c0cf83d1f1409229e75b841aa9149779e9e6b341a5b7073bea304c0dc26fe27

    SHA512

    b7facbfd5b2e7a9d2a6ddc933ff8956b99f55a7c94957bdea6e2d80498c65569a7b74f9f75941869646557153ccd420864266c8bb856948ac7e00fc43c6eb802

  • C:\Windows\SysWOW64\AMFOLL\STO.002

    Filesize

    55KB

    MD5

    e4a425e8d87b40406ff973d1a7d43429

    SHA1

    933417e0c7896c482529c308d0315b78f5a7f1f8

    SHA256

    cd01a5dc2415ea267529ec99c6f296642f7262f84e80cac7033d16bc7781a39e

    SHA512

    368ea7e419e01515a492d7c20482a161f74644b0ea09ada9e2950134d64ccc4956a0d7d2dd393a7b1fd3df0f3df1ca8ef947ae58d9b4abbc8770f204fb33c6e5

  • C:\Windows\SysWOW64\AMFOLL\STO.004

    Filesize

    1KB

    MD5

    6f6ca93db8939bd4123427b457e528cf

    SHA1

    cea25e416d51bf59aa824f84d385bba6438205c4

    SHA256

    fae3d787c7b5e6c656848441430840a224295ce8c2d549697651500ad3caa311

    SHA512

    5322dbd09961a271be79bb3c5002d6cc713605682a55462d1df3e29f998f392ce607f2d1f7cd47df7554dacfb89e51705a63eb301426767c7c9bb8e4711f531c

  • \Windows\SysWOW64\AMFOLL\STO.001

    Filesize

    78KB

    MD5

    92711372be36753e32f8f405642f3c94

    SHA1

    87d93095e049f45777ec696d152a56e888569001

    SHA256

    8fe11d43d7a1a6b5aa730d10886cf7dbebd8855c8f1aecc848e7172e3997d8b9

    SHA512

    1100b47b236c635647d7fcd9023745b14bb512be816c8bd3c1d872549e01822a9bd3960ad774c628601dfdb36b1f99a194707560a55e32a9e68145baeb4b5676

  • \Windows\SysWOW64\AMFOLL\STO.exe

    Filesize

    1.7MB

    MD5

    b910f5d24e399a13f6aae20535ac05b4

    SHA1

    d062f168245e353da3ad3c2b68e830333f9f1373

    SHA256

    046c39b67b6c83fec1ac111357e4d61340f02a6c90a32bf34e05cfeefb2c74e7

    SHA512

    1677aae44c8ce1d447524543e252f59247c97b8d4d87a3818a7f70d7ec3c788fa97ac4bbe406c1b0a450383a515cb003e390de6baba2d167505850ed6d183274

  • memory/2764-0-0x00000000012E1000-0x00000000012E2000-memory.dmp

    Filesize

    4KB

  • memory/2764-3-0x00000000012E0000-0x0000000001491000-memory.dmp

    Filesize

    1.7MB

  • memory/2764-2-0x00000000012E0000-0x0000000001491000-memory.dmp

    Filesize

    1.7MB

  • memory/2764-1-0x00000000012E0000-0x0000000001491000-memory.dmp

    Filesize

    1.7MB

  • memory/2764-25-0x0000000000270000-0x0000000000288000-memory.dmp

    Filesize

    96KB

  • memory/2764-26-0x00000000012E0000-0x0000000001491000-memory.dmp

    Filesize

    1.7MB

  • memory/2824-21-0x0000000000400000-0x00000000005C6000-memory.dmp

    Filesize

    1.8MB

  • memory/2824-20-0x0000000000402000-0x0000000000403000-memory.dmp

    Filesize

    4KB

  • memory/2824-23-0x0000000000320000-0x0000000000338000-memory.dmp

    Filesize

    96KB

  • memory/2824-27-0x0000000000400000-0x00000000005C6000-memory.dmp

    Filesize

    1.8MB

  • memory/2824-28-0x0000000000400000-0x00000000005C6000-memory.dmp

    Filesize

    1.8MB