Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2024, 03:02 UTC

General

  • Target

    3824959f2dc29e6a05b1b02c264050c3_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    3824959f2dc29e6a05b1b02c264050c3

  • SHA1

    3be1a62c78811dac2bc26fac4dbcb2f5f0549e7f

  • SHA256

    e5118ab605d40f09c2a883cb8abdaaeb70c594cd374aad433272595a9b66feae

  • SHA512

    704286ffff089a7aa1f006b571fc5f099189cd81fe01c50e4b3650f5282c38b387fe436a11dc379e146078f6cb840b41609e4b7ff4d8335020ee15a92679dbbb

  • SSDEEP

    49152:yiAzrL69yAIcIXcbEeGROT4G+6Yi1r13O+mOs:yiAzrL69yAIcIXcbENROT4Gzj1rx+

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3824959f2dc29e6a05b1b02c264050c3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3824959f2dc29e6a05b1b02c264050c3_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Admin\AppData\Local\Temp\is-VQTFB.tmp\is-6935T.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-VQTFB.tmp\is-6935T.tmp" /SL4 $500F4 "C:\Users\Admin\AppData\Local\Temp\3824959f2dc29e6a05b1b02c264050c3_JaffaCakes118.exe" 1368317 52224
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\is-UBLV0.tmp\_isetup\_shfoldr.dll

    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

  • \Users\Admin\AppData\Local\Temp\is-VQTFB.tmp\is-6935T.tmp

    Filesize

    634KB

    MD5

    d291acbf9866b8846fe0629e690feb1a

    SHA1

    293314b11340d798d3c74e2416e2a43f267a25d6

    SHA256

    ab3e1fa210171e5ed2decc615c9328379ee3d29b55ee0e5d7ef6bece43f583eb

    SHA512

    320e68a67fdcf13dc25640cf68468abd9e0dc51b647f95277eebbd06c7c5ee298b1f68d4a01deb886979e42cbc3eddf16ac4db18884a96b1535598ba11ba36ed

  • memory/1096-2-0x0000000000401000-0x000000000040A000-memory.dmp

    Filesize

    36KB

  • memory/1096-0-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

  • memory/1096-15-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

  • memory/2944-16-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.