Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/10/2024, 17:15

General

  • Target

    52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe

  • Size

    24KB

  • MD5

    52cd5cb4c8c3f83edb2daf3361e07875

  • SHA1

    fbc9a38bc88e8223b8a8129a9e10f3783f2e980f

  • SHA256

    bb55a32b39309a1d9a8f6c7f12408e113938dbe489b70efdd35a62c30e6b8233

  • SHA512

    660dbd5428661067dc839a72342fcbcd3474523c15568d4746a85ee88f547c52adaa43d550efab0d9c8295a2809b6ac478ae3598f5449b16c41a90a266c12e9b

  • SSDEEP

    192:ajcOeIg2N8KSok3GxRKt9Bl/VdBkQ8llnBCYmoelDEMwT9zHJgnQr71sP1oyaOUs:ajIimbBkQ8nBCXXZvGQQr7k1QOV

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Users\Admin\AppData\Local\Temp\52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\Googlehh.EXE
        "C:\Windows\Googlehh.EXE"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3012
        • C:\Windows\Googlehh.EXE
          "C:\Windows\Googlehh.EXE"
          4⤵
          • Deletes itself
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1308

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MyTemp

    Filesize

    84B

    MD5

    2279dc07a50bcb4b2efdb0ee6f65ad35

    SHA1

    30d28a56d1eb7419909647a8506b37c03f3b1607

    SHA256

    df09bc82b753a40162246e7295f94d1bbe8629c0c9897439c2e672ddc8cfbe3e

    SHA512

    83a927e91631f2c9fc7407e1388dd1915b6b942695eb21f46ba33084a80c8af65e3f9845f2749691efa1a45329b44834b0e5ca8fffba1ee3f95b5b077c3ec0b2

  • C:\Windows\Googlehh.EXE

    Filesize

    16.8MB

    MD5

    3487ab5744086964af3be5d43004fbaa

    SHA1

    fe33b7aaf3ce9136b1998c5387774d34b60edc4b

    SHA256

    f476731f307971fd6c6f90104b25e933b64493184de4ad5aed1a981fcef0c02e

    SHA512

    46527ee4b23e41ca2b9dac7f4393f4e7588b6598544eec6a1a2eb503170fe25690915239f4747b5d95c00833478db06a340ee0eb4f62dfd7a3c6af7db7c91959