Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/10/2024, 02:17

General

  • Target

    15c59fd06dd14e231b0b0b71e22ab030_JaffaCakes118.exe

  • Size

    505KB

  • MD5

    15c59fd06dd14e231b0b0b71e22ab030

  • SHA1

    017eedab69d5c63126c14af586bb20f1cc6aa62e

  • SHA256

    4846a9411ecb32ff511fbcabddc9114bd05f00566d4831db057da95afd16ee53

  • SHA512

    2fce1a4634a95dcc665b87738475e70ed8afb8c2b236b269ec009c0a448fda99c78fcbcbd5335e1ed12f5bff2d44a99b66af92d8d8d067fd989470190cdcb1c1

  • SSDEEP

    12288:Iu3URWtsYf8PemjE8h0UxH9ND6fvhMrf1seW2/agR:IkQe8PemjTh0Ul/8vh+qUR

Malware Config

Signatures

  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15c59fd06dd14e231b0b0b71e22ab030_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\15c59fd06dd14e231b0b0b71e22ab030_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    PID:2932
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {90A6B9A6-756F-4268-94F8-B136DE696B60} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\PROGRA~3\Mozilla\uhtmzji.exe
      C:\PROGRA~3\Mozilla\uhtmzji.exe -fbfzjgk
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~3\Mozilla\uhtmzji.exe

    Filesize

    505KB

    MD5

    c71c387163d80081360af61d0491fe27

    SHA1

    b328071f5f4765af43bcc77580328ef1de9fe94d

    SHA256

    9b68a1e5c20c21e53952aa98fd12e0be8b9235846a46dc7ffc24bb17bbce8302

    SHA512

    5d544d722c00cd096bdd4f2ce89a846c24713b59b167e40c033b12afb53594aaa01e0abe20551b2b2a52d712dabb4d0a45b75edda8d3d96bfe369f1c1bc17f7e

  • memory/2708-6-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/2708-7-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/2708-9-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/2932-1-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/2932-0-0x0000000000250000-0x00000000002AB000-memory.dmp

    Filesize

    364KB

  • memory/2932-3-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB