Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2024, 03:14

General

  • Target

    552ccebe1ceb972e667a506d15305095_JaffaCakes118.exe

  • Size

    698KB

  • MD5

    552ccebe1ceb972e667a506d15305095

  • SHA1

    c84cb86f31f0e69ed6f14b0bedee2ce33ceb252a

  • SHA256

    621f646fc179862feb1a1a2557e3e10561c1b8dfe673d0bb0e1bc365331b3c80

  • SHA512

    71a74651607d6682aa2b8b5f8b2ac24c6f45c23768ea8013e20223928012a6927ad19aad25e8ad0987d22eb27d1adb11d7aadc2af958455bfdfcd15326002c34

  • SSDEEP

    12288:pC3akvzGv2pxQcXlxPmJYWq1/pc2H3JZ1OeIaEIgTsbO/PVqUtQLld:pCfGojTgm1pZ/Ozwes6/PaLld

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 13 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\552ccebe1ceb972e667a506d15305095_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\552ccebe1ceb972e667a506d15305095_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Users\Admin\AppData\Local\Temp\nsoAF.tmp\zwankysearch.exe
      "C:\Users\Admin\AppData\Local\Temp\nsoAF.tmp\zwankysearch.exe" "C:\Users\Admin\AppData\Local\Temp\nsoAF.tmp\zwankysearch.dll" 3188413003
      2⤵
      • Executes dropped EXE
      PID:784
    • C:\Users\Admin\AppData\Local\Temp\nsoAF.tmp\zwankysearch.exe
      "C:\Users\Admin\AppData\Local\Temp\nsoAF.tmp\zwankysearch.exe" "C:\Users\Admin\AppData\Local\Temp\nsoAF.tmp\zwankysearch.dll" ucehekiku " " mogameyed
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      PID:2404
  • C:\ProgramData\ZwankySearch\zwankysearch1118.exe
    "C:\ProgramData\ZwankySearch\zwankysearch1118.exe" "C:\Program Files (x86)\ZwankySearch\zwankysearch.dll" xuyukigura ratukozuri
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Program Files (x86)\ZwankySearch\zwankysearch.exe
      "C:\Program Files (x86)\ZwankySearch\zwankysearch.exe" "C:\Program Files (x86)\ZwankySearch\zwankysearch.dll" huyohiret apasoyuqi
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsoAF.tmp\uninstall.exe

    Filesize

    78KB

    MD5

    490071c63a8583c44546421214809399

    SHA1

    f2268f3629b25b73b7f3ad984d867be01c19a670

    SHA256

    8f75ba9703c28b460025e05615222ed2b31e5eed829bfbab30bb029e873c0c24

    SHA512

    00301e21a10071a875b41ab8dbb715fad81af1c28f2badc8d2580b7b40ef52315fbd4af5e1e9a33c2070c3dc5c818632f0bed98f6e46d0869a3859997e12425b

  • C:\Users\Admin\AppData\Local\Temp\nsoAF.tmp\zwankysearch.dll

    Filesize

    576KB

    MD5

    0506a7773cfcf615042cc7ba3d5f311d

    SHA1

    bd5042084ea6735a9479359fa5ce813e156765bd

    SHA256

    903a73225511a85add2bfc72f485f11d88c77bd57dca851921f195e93bdde16a

    SHA512

    0dbba9e23bda568e2bbdefb602ac7ed6b9cdacf199a2cb711c09032fbe05c12dbcbbe0028c495567c29a6e06a0b53f9d2482b8dba609550e9b994df31de64b1e

  • C:\Users\Admin\AppData\Local\Temp\nsoAF.tmp\zwankysearch.dll

    Filesize

    576KB

    MD5

    8a34ae6f20174c24a9b7f92a8f38a4ac

    SHA1

    30603ef572e86767d591446e332558dd774f97a3

    SHA256

    bceadcabab0af07549c5995c23093d2c9568d94b2bda652517a47b24456170ff

    SHA512

    2d2e30f3e7a335b5491687c150655a7082cf9a7f0acc9a3a442c54ead4ee2b55dc7255272828496566088ac2c54bbef234ea6d068488bd618f70a13cd1534da8

  • C:\Users\Admin\AppData\Local\Temp\nszCEF5.tmp\ioSpecial.ini

    Filesize

    758B

    MD5

    5b606850329942981bc39800c3252d32

    SHA1

    bd64809fb5bdf199c10f7bab1f5e6d42e3665eb0

    SHA256

    e09cbc2617b4f9b1105440c3b8762c941807b498792ecddcc908bdb023d61189

    SHA512

    f06b42f4da26eb6e2df057057499349b005ae22f6a40b223f011a18f5e6314e6f9a3aea209d353b20cd5e1ddf4b26e2198ffa573536e89f563c2408adbfe999e

  • C:\Users\Admin\AppData\Local\Temp\nszCEF5.tmp\ioSpecial.ini

    Filesize

    620B

    MD5

    547366135355eccda412e6ddef09f7bb

    SHA1

    7aa47701674dc79fc5dcaa3d7771814578501f63

    SHA256

    f65f8fc4dbe00e11533d64054fb5f66a8d96bf5686c5a7a5a3d2e91c7d60040b

    SHA512

    7b6e166993855c9343d3b1887f275bfe962279c4759d8f7b3147706877a00da6e900156ff2dc01f7e58343c66e1de4ff9d157a65291cbf72528aaa0a2e83026b

  • \Users\Admin\AppData\Local\Temp\nsoAF.tmp\zwankysearch.exe

    Filesize

    25KB

    MD5

    f9ad165d8967009b916b4fdec3466528

    SHA1

    48ce3da6ab0f3a053036c40da1082c00202957d0

    SHA256

    62d2098e86a466502beadb00537bcedc66a13b5c3363be2bde41c113f8188cb9

    SHA512

    f46a40748be0ad5f7b894d364e9364ab6877466fc74467dc1e674df1d0be5c9fc1404ea3de6b0dbd8eb40a50d9bdae32616ba00903afa35547964dbdcea834da

  • \Users\Admin\AppData\Local\Temp\nszCEF5.tmp\InstallOptions.dll

    Filesize

    13KB

    MD5

    d765c492c21689e3d9d61634371fd861

    SHA1

    ac200933671ae52c9d5544d0e2e8e9144d286c83

    SHA256

    551e6042dd494ea01549555ffc194ab9729da09058ec714eb368dd06642c9bbc

    SHA512

    9919a9e848c8f1e26c75d0d29207571e4b86a4140bd554743d2c1f8bd7f386fe4919345b163d89a5d907fb165e435ba0ac5f6b1101713636141f156a420e2e0f

  • \Users\Admin\AppData\Local\Temp\nszCEF5.tmp\System.dll

    Filesize

    10KB

    MD5

    fe24766ba314f620d57d0cf7339103c0

    SHA1

    8641545f03f03ff07485d6ec4d7b41cbb898c269

    SHA256

    802ef71440f662f456bed6283a5ff78066af016897fe6bfd29cac6edc2967bbd

    SHA512

    60d36959895cebf29c4e7713e6d414980139c7aa4ed1c8c96fefb672c1263af0ce909fb409534355895649c0e8056635112efb0da2ba05694446aec2ca77e2e3

  • memory/1472-120-0x0000000000480000-0x0000000000506000-memory.dmp

    Filesize

    536KB

  • memory/1820-217-0x0000000004040000-0x00000000040D1000-memory.dmp

    Filesize

    580KB

  • memory/1820-218-0x00000000040E0000-0x0000000004166000-memory.dmp

    Filesize

    536KB

  • memory/2404-109-0x0000000000220000-0x00000000002A6000-memory.dmp

    Filesize

    536KB