Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 01:53

General

  • Target

    28bf706967b2f4074f84eb5b78e9e1fe_JaffaCakes118.exe

  • Size

    216KB

  • MD5

    28bf706967b2f4074f84eb5b78e9e1fe

  • SHA1

    abba9e16edb6480ce73a8ad2d03fcc1d45c6c9e5

  • SHA256

    b94feaa2edb82dd3ac85052e32bdff889db6164624b779c2ff93fbecbfca35e7

  • SHA512

    75987a41dc7b5d25b74df21e9f6be84aff89b2684a7715756128e60c8e877db02b7f216181609c1cc675f902c011dc59cbe04a18addc1fe5aafd8d335c16d881

  • SSDEEP

    3072:3YSaMKxz6cBewR7sEVSdJplM2IlNGzBkl9s1Y:o1JBe2pV2M2CWs9l

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28bf706967b2f4074f84eb5b78e9e1fe_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\28bf706967b2f4074f84eb5b78e9e1fe_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\xaoaxij.exe
      "C:\Users\Admin\xaoaxij.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\xaoaxij.exe

    Filesize

    216KB

    MD5

    97ac96f2bc161f8a542fc4204c1dce57

    SHA1

    3a9267a8558d0a56a5e20a44a6e6c549408f6431

    SHA256

    b8fe4420b8e88315b5a05b526ab598e8748575ee7138415bd3ab4b5f1e4b5e88

    SHA512

    7a120101110121fb27cba8840c8b5d797c39c47ece3235bdf2a12a7d01df2c92f1530085f113a68ab0dbae91c6102beed4d2693d2cce7397c5d89c6ec7191c2d