Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/10/2024, 22:24
Behavioral task
behavioral1
Sample
5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe
-
Size
403KB
-
MD5
5ef7fe7f1e794a83d76bc115089c24d1
-
SHA1
2f8b9d2f4fbfb95bf08ef18dfdfeb0226581e2e2
-
SHA256
7285307085fbba9e99687a175fb18907f3c70b4b247229b2886922fff0bd0da0
-
SHA512
691777ea80ccb68833dda181b3367ab512026361304f759c82402dfe5fdfd328396c97f45592280609c28c64b4235c497bb4e00a57051088cde82d49454dc8f4
-
SSDEEP
6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohq:8IfBoDWoyFblU6hAJQnO4
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
pid Process 2844 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 1736 ojwug.exe 2708 zusaly.exe 2408 ubfiu.exe -
Loads dropped DLL 5 IoCs
pid Process 2308 5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe 2308 5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe 1736 ojwug.exe 1736 ojwug.exe 2708 zusaly.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojwug.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zusaly.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ubfiu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe 2408 ubfiu.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2308 wrote to memory of 1736 2308 5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe 31 PID 2308 wrote to memory of 1736 2308 5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe 31 PID 2308 wrote to memory of 1736 2308 5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe 31 PID 2308 wrote to memory of 1736 2308 5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2844 2308 5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe 32 PID 2308 wrote to memory of 2844 2308 5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe 32 PID 2308 wrote to memory of 2844 2308 5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe 32 PID 2308 wrote to memory of 2844 2308 5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe 32 PID 1736 wrote to memory of 2708 1736 ojwug.exe 34 PID 1736 wrote to memory of 2708 1736 ojwug.exe 34 PID 1736 wrote to memory of 2708 1736 ojwug.exe 34 PID 1736 wrote to memory of 2708 1736 ojwug.exe 34 PID 2708 wrote to memory of 2408 2708 zusaly.exe 36 PID 2708 wrote to memory of 2408 2708 zusaly.exe 36 PID 2708 wrote to memory of 2408 2708 zusaly.exe 36 PID 2708 wrote to memory of 2408 2708 zusaly.exe 36 PID 2708 wrote to memory of 1320 2708 zusaly.exe 37 PID 2708 wrote to memory of 1320 2708 zusaly.exe 37 PID 2708 wrote to memory of 1320 2708 zusaly.exe 37 PID 2708 wrote to memory of 1320 2708 zusaly.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\ojwug.exe"C:\Users\Admin\AppData\Local\Temp\ojwug.exe" hi2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\zusaly.exe"C:\Users\Admin\AppData\Local\Temp\zusaly.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\ubfiu.exe"C:\Users\Admin\AppData\Local\Temp\ubfiu.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2408
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1320
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5c6d5dbab34642da755cd10dcfba31dd4
SHA170a4f4c846761b1d4af5d6fcfc4b8e3f47d9a947
SHA256e7a45c94b719920e885bf84875fad23c6a534a2afdd22c8f7c4c6b33fdbad836
SHA51254d391e2bbd84d1ffd7256918f6851f9edb2c806f6edbeb2546e2becb958901effb4197213d8236e3a92c0b7605503c9e91e6cf6ca7d021518d98270fa672229
-
Filesize
224B
MD5eb8fc228c21bf26c9efc3b680e303bc4
SHA117ccc7f525e11d6badd1f89c8d83d4ceac37732f
SHA25672396aba9a76a7f24ea65fbac2ed28401bbb096733aea5f59df16c252f0611c6
SHA5121e2eaaff8eae9ddd245bdcd4c9e532cb15cb4aa8faaf7f980266494a50a7c7fa410f9505adacd04e23aa48352fd2db0836255bcb3be7b60c0a4bfecde345bf54
-
Filesize
512B
MD545d34d73e380c4af8843710ebc980743
SHA1ea5960a550e3766ab0bbe064a7f60a4522ea681f
SHA2563ecfa9468b013d1d68fad65c33300413b6609bee33f9f099499bc39855b34494
SHA512c4056ddb7dd8e5f2228fdceda9c2520ee0fed7c2cd55641924c1b8bfd446d26c8d816be341c1eacf081160606c997ca7cf2d7269bb9b5686dd683523416cc14d
-
Filesize
403KB
MD581cfb57a07160ca1508ad12afb861b47
SHA1b1e22de6c9d4d89ca2762949e110dc5ae3c8fbc6
SHA2565f0f2cf4ba69c5e9e8e8583d0be3798d14896b62db38766ef19970a1e12adbf4
SHA51200310a8014b9f3d7fc272e14844f82507ffe03ff94df272026f48596132e860cc72193264d8b7bc6607584c246fab0dcf9fc7ee028eac39e2c0bdd42277e319a
-
Filesize
223KB
MD5a188ba2dbc55281d137b571483452764
SHA11c32a898a53b35f6395f60056d9d3c5cc1b4b8a7
SHA25606a40cbe5ca82477f97cdcbf68048099585f75da04efb17c9ddc1c6f16146584
SHA51295971a8fee5607d37d7252a2e6dc541d170adde7528d8e7e1bd4e4209b6f5920151d6cd3de16aaf582c8c3df0392109750ced4638a2085a241ca5d7bbeeb8773
-
Filesize
403KB
MD5a5031f614e2257d0493231f675342edf
SHA1b1d4158ab049188f2f5e703be06d282387413423
SHA2566409053767da53b165136ebd7773b6ab8e26a12195668977ec97c0169eb382bb
SHA51279e98cfb1e790028860a27c552a90b3b575e52c4bc5105cb4bc98d55b987ca33a7056c6b366cab8a6c7be69241dc9149e7504f41f4e2047f4fbe46941a9b7985