Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2024, 17:02

General

  • Target

    433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe

  • Size

    64KB

  • MD5

    433dec19a3092cad1d9ab9f22fede0aa

  • SHA1

    22987372b4e3e0dd82490430e74c23669c719731

  • SHA256

    930637d070ef2c085dee39591e9ef6f61b0bf92c0c8d851dfa5ea33e03462cba

  • SHA512

    b4191510de2c44923ab5881d78da9a595732ca3d7e7b25b561d035b24569dbe8629d91f1a1ede43fb58b749a2619940efa09dd83aebbb34f4147ba7973c48552

  • SSDEEP

    1536:mwtp3nq8LXk/4g2fOG9HDvSvICqBMvA94DK4tbwgvX:D3lYIOyjKvIvBstDHVwA

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 5 IoCs
  • Modifies WinLogon 2 TTPs 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" 22283.dll,myImeInit C:\Users\Admin\AppData\Local\Temp\433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe
      2⤵
      • Loads dropped DLL
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1892
      • C:\Windows\SysWOW64\sfc.exe
        "C:\Windows\system32\sfc.exe" /REVERT
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2484
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 352
        3⤵
        • Program crash
        PID:2348

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\22283.dll

    Filesize

    22KB

    MD5

    4970fabaacf313ba47c69a80ed15fe71

    SHA1

    512ab4d130e25e2659032c582028c3f5b0d31aef

    SHA256

    d88831cde6c76c62e4519db584f73274f8d6cd9e4ab2312734603cd5d8e89c96

    SHA512

    b8f061c2368f8861298048f35ec53d868b2d4f104a9b482b7bc64c9803b0d22eff284c993c96fd0f107930e214026676acccfae0863e0270a83480ce88024901

  • \Windows\SysWOW64\sfc_my.dll

    Filesize

    40KB

    MD5

    84799328d87b3091a3bdd251e1ad31f9

    SHA1

    64dbbe8210049f4d762de22525a7fe4313bf99d0

    SHA256

    f85521215924388830dbb13580688db70b46af4c7d82d549d09086438f8d237b

    SHA512

    0a9401c9c687f0edca01258c7920596408934caa21e5392dbaefc222c5c021255a40ec7c114a805cdb7f5a6153ec9fa9592edcc9e45406ce5612aa4e3da6a2c4

  • memory/1728-0-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/1728-5-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/1892-11-0x0000000010000000-0x0000000010104000-memory.dmp

    Filesize

    1.0MB

  • memory/1892-12-0x0000000010000000-0x0000000010104000-memory.dmp

    Filesize

    1.0MB

  • memory/1892-13-0x0000000010000000-0x0000000010104000-memory.dmp

    Filesize

    1.0MB