Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2024, 21:45

General

  • Target

    109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe

  • Size

    119KB

  • MD5

    109da14f7ea14aca656fc404bd7e0d5c

  • SHA1

    05135c035e406fd59d21eee22f0781eddb34dac4

  • SHA256

    f31e9010f4c0ef6f58ab6a89931d03628d9fe1c896c7446b3db7a51fe085cfa1

  • SHA512

    f77aa7a8e62a694ea063cd0a6c1b30670397d80e2e98c81df4cd165537301db7670efe1cc2f17db75304a37c8ba616680e967fcde90e0d075307746ba908967a

  • SSDEEP

    3072:6zdYe6SkN2NsZQXw6QiLs3m1EplhRgKJFL:CySkNCsZvZm6plDL

Score
9/10

Malware Config

Signatures

  • Detected Nirsoft tools 2 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 15 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Users\Admin\AppData\Local\Temp\im.exe
      "C:\Users\Admin\AppData\Local\Temp\im.exe" /stext im.txt
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2328
    • C:\Users\Admin\AppData\Local\Temp\pwha.exe
      "C:\Users\Admin\AppData\Local\Temp\pwha.exe" /stext pww.txt
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2100
    • C:\Users\Admin\AppData\Local\Temp\astr.exe
      "C:\Users\Admin\AppData\Local\Temp\astr.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\pwha.exe

    Filesize

    31KB

    MD5

    483e560f1527bd2c3e1124ce0756bc17

    SHA1

    55d285d22c88a63236fa9d461536a34809edd20d

    SHA256

    6633c5afc2d0f67d28d23d255cb5640389617b7a0e9f67a0ec1d1d8c7a074511

    SHA512

    3642a2dda07d6c09d22646d0334089d85792b9eb7199541ae449c08f587bf2fc35dea83d1207efda8108c2603f01c2d7ae0708593352bbb17d0f9a9a62d86cd4

  • \Users\Admin\AppData\Local\Temp\astr.exe

    Filesize

    28KB

    MD5

    3ec2034c581d204b309c9e3bb0df6385

    SHA1

    7e58247ec023ec4f55010bc79c9268fed2d4191e

    SHA256

    711a85e1348ec2f2a50271501113573f250c131c5f4fe8d32ec2d166f6ef8fd7

    SHA512

    bc00d298fbed0f13c9e9b5c2ae9571513e73ac316ce360274b59038968e9a2a04271adf72c887457f202df51af644d43ffd901bcb45aedebf2a0d943c5efc872

  • \Users\Admin\AppData\Local\Temp\im.exe

    Filesize

    41KB

    MD5

    623a6a486569c3a808005d5ec9a325c0

    SHA1

    9c99561c36a46db84df61484ded3e44c0c832fb6

    SHA256

    6de0689a21855d5f761bb72688180bd47ee6d01be9f21fb65c337419ee1c94e9

    SHA512

    c592f3f14cc1b332af16e73311febda56380d8f22f0f246ce16e6b13e89710c5f28cabdcd2fe39b65d6f9117173a7bec01520352dd364dfabb6d5caeb785fe02

  • memory/2100-46-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

  • memory/2100-67-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

  • memory/2328-24-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/2328-28-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/2512-12-0x0000000002900000-0x0000000002919000-memory.dmp

    Filesize

    100KB

  • memory/2512-21-0x0000000002900000-0x0000000002919000-memory.dmp

    Filesize

    100KB

  • memory/2512-43-0x0000000001F80000-0x0000000001F95000-memory.dmp

    Filesize

    84KB

  • memory/2512-42-0x0000000001F70000-0x0000000001F85000-memory.dmp

    Filesize

    84KB

  • memory/2512-29-0x0000000001F70000-0x0000000001F85000-memory.dmp

    Filesize

    84KB