Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2024, 10:14

General

  • Target

    12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe

  • Size

    1005KB

  • MD5

    12e9927d52006fdfb16919e0ccdfb670

  • SHA1

    128643ef042e58f53b0d493441afb5ef6fa61bc5

  • SHA256

    23914f9b9807d142ea60691ea70e16fd8237bb1e3544faaecd78e114537416fa

  • SHA512

    76dae07dd4b99f1bffb9bdbe79b07a2246f31271a288562adff5e6d9af4587c1234895ac651c55025d27de4e4d623adf266aaabaf0735791900a628c8d981ad1

  • SSDEEP

    24576:5aK/eDpS1eAR+XTQeZaSyYE5Qs+B9Kfyl/QlrnRdyNCMNqL1Xi:3/e9jCST5ZHyYE5hboir91Xi

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 14 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Windows\svchost.exe
      "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1956
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:2444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsyC0B1.tmp\btwarning.ini

    Filesize

    190B

    MD5

    196a035a4b877d0fa9c3fa082919f65d

    SHA1

    09ae3fb430a11970424c643a4e1dd85e3bac6d95

    SHA256

    19908ebd28db7e4c75d37b98112970f8ac468403b62bdaad4d519f03f352438f

    SHA512

    1483c0a6ae96a2707480bedcf5f0c656e2b1627f21127750957df12aefd284abe3d94e5dce8e64a4ec7513a161fc75d8997f9e938d20703d4f8b92e355825cd6

  • C:\Users\Admin\AppData\Local\Temp\nsyC0B1.tmp\ioSpecial.ini

    Filesize

    688B

    MD5

    a37c37be21f83f2831a05fa029b469d2

    SHA1

    873ebb0e4fd1b00ae11e8eebdb31469e56811726

    SHA256

    01e04d0e0571c0387d73129f1e44e09608d3375d31012fc744183e66701ab70b

    SHA512

    89fc5899a8b845cb58eebd95e7e8ecd9b28732183406926205d318719c0d1f9d4d8a3a03ed7fd56cca07ec73cc335b6980099ed1cd469bfae1a3ae3aab667c72

  • C:\Windows\svchost.exe

    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

  • \Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe

    Filesize

    969KB

    MD5

    4aa7b3644724f2da70054eb3c4f92c78

    SHA1

    e18fbb8ca40ed86c3793474cc35f427e669cddea

    SHA256

    0ba8d7841aa524ef55b0c9ce4557b7286e0bb5eb2195ef1bd03c7dab8da9f10c

    SHA512

    7b703024d6328b20ea4bd27885a6cdcfdaef14a4d48df998e9eed80c3b04e0171d2c87cc36a8277e3d599c6529df8c4635c59a5503113a6bbc6344e010a08e05

  • \Users\Admin\AppData\Local\Temp\nsyC0B1.tmp\CustomLicense.dll

    Filesize

    2KB

    MD5

    6c20819f7b1b3c25b4cc2aab38bdc6c3

    SHA1

    005c475c579cee2c60d77642d6d9586e0884964e

    SHA256

    156719e9b9f965f0e205aeb9e4f07254ea0576fd422f7e90e8f1d90e5fc51050

    SHA512

    635b602c451a8f29e6618670ebc08753d0008025fc3f0ca7619eaa578a76acaad1a88f86df9be64a3dd50db849e6513e465b1a3eda006da16b9ec03c566de2ea

  • \Users\Admin\AppData\Local\Temp\nsyC0B1.tmp\InstallOptions.dll

    Filesize

    14KB

    MD5

    296a5f3179fa8d7a7a855eaf696ede44

    SHA1

    57aa5b71553ed282dd22c768e039a187f5c13f63

    SHA256

    ee0ad77e681c4d0fdf1d67df5f4ca03e6bdd8e3b05dfb47a83ad5c733ed62960

    SHA512

    bc527d1485f468e8d098057e0e38e8cb7aa6eb64d4ca30927b99b1552a3177b132b989015ff95bdf2ca046bf11a54b4b456f51e024fbc734fbb548c3499e53f6

  • \Users\Admin\AppData\Local\Temp\nsyC0B1.tmp\NSISdl.dll

    Filesize

    14KB

    MD5

    1413350c401e65ee4666fa36c9d8997c

    SHA1

    acab76b047c0512125de49fead6b84e92da0b0f6

    SHA256

    aff65714ba229568469a9addf9b2b58e4bb169ee94ac423523e12afa9ec28365

    SHA512

    9b46512941e2ad8ef47f0024a0f0e069743c714dd5c525bbbfc9dd871696a121b53236757225257495ba8a1a71f68ea79a324a84503a6f0a3d3c40990aa1f160

  • \Users\Admin\AppData\Local\Temp\nsyC0B1.tmp\Processes.dll

    Filesize

    35KB

    MD5

    2cfba79d485cf441c646dd40d82490fc

    SHA1

    83e51ac1115a50986ed456bd18729653018b9619

    SHA256

    86b302fa9c85dfa0c1c03ba000864a928365dab571f3355347dba02da22949b7

    SHA512

    cca186a7f9c5cff3f4eca410fbe8cc13dad2514a7e36aec9b1addfbcb239ace9b9b2d8427771858e3fd11783abce7e24d43c286f98da9f8b17562ca095a4c043

  • \Users\Admin\AppData\Local\Temp\nsyC0B1.tmp\StartMenu.dll

    Filesize

    7KB

    MD5

    4973362a84e11dd8541387ab1694afcc

    SHA1

    b78a0fe67c07713c7abd9668b881c4bc808d9a7a

    SHA256

    7757518466b21ce175607f10599f26fff127d59a16dc10bf4ba4b7d83d13d47d

    SHA512

    65c305eced5cd81fe3a573827d62a33e400f03d5bfcb3b3a503927bc0decaedef5d74e6d1ba25a0601fe812f8d2424887d58211c3f3cea1442643f5d1c23c2fb

  • \Users\Admin\AppData\Local\Temp\nsyC0B1.tmp\System.dll

    Filesize

    10KB

    MD5

    86b5a07a43b7cbc5c49263b8d974b736

    SHA1

    78388286a311810d812c13d87dea12d581713e60

    SHA256

    5897fb00be38e502fb5dfd047d97e5e4da6387a7a6259633dc31c2427612901b

    SHA512

    dcbe379c28302bb3472339cd24949b16548fa0003882a920df6839078cc7b2563f058a0524bf25df0a5ec8b08e302ebc9e646033109958669d8af883af959ffe

  • \Users\Admin\AppData\Local\Temp\nsyC0B1.tmp\UAC.dll

    Filesize

    16KB

    MD5

    acfb66ee6fc1f4266229ec6098fe1740

    SHA1

    e1aeb31b11996015d7f17308e2f2bbe69d4e1476

    SHA256

    6d7e8070fa09cc4bb66fb99c2b88d0f5419602fa64a519437f430d9378300b1e

    SHA512

    bf0b5b22c57c08c88b4cbdd75bdf0c8eac433d42b4d163349391b71bc44d913e4d0e28e0826a7c27b418e6d2aa37c08c90577b56baa946a8f129486fbe01c303

  • memory/2332-5-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/2364-21-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/2444-175-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB