Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27/10/2024, 22:22

General

  • Target

    763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe

  • Size

    208KB

  • MD5

    763d06f09c646c995c9ded35754f35e1

  • SHA1

    5b3ee41d3d354468f34bbc0b74931c642aa64321

  • SHA256

    64d12b6ed1fc65eaaf9410903955668bfa6fd6ae699dcabc6e9cad74ffb42c1d

  • SHA512

    296dfb3805758fdc5dbc1d33f14c2a65ae7e0a4f3ced1e388dcd630c72af570c10ac0b8b77147049a603577acfa7560446fa43fef17be750f8f85e825f524aa8

  • SSDEEP

    6144:v5hPwKr+MAPdJREOmr9H0j0AXY2vajGm:fPwKr+9dTYUj/CjG

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm.exe
      "C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1100
    • C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm32.exe
      "C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\msftcore.dat

    Filesize

    669B

    MD5

    85c353915f5aa8894943ba9724a56946

    SHA1

    a2ac3dd29c9dcdaf7ef748ac42f6e00a699a8aaf

    SHA256

    2a8932976e5b6fbe3cde6d4db4c5ee335702412fc907c3fb4d83f1ddf753bd30

    SHA512

    96d14e46949d1b9bf2b4cb49809b96b99d598bc3c75fe0b159ee544a2b835a49cda9e756b034159767572bf9ab22c3cd78e2e354d2ab578fe1523a8dbaffe955

  • C:\Users\Admin\AppData\Local\Temp\msftcore.dll

    Filesize

    53KB

    MD5

    ccab25c4f6a2411e649f41a654fb732a

    SHA1

    f0fa67afbfeba2fcfba4cbf378456e9563ed5e5b

    SHA256

    7d21310e49648c311d150f233b3f8b577a39705228c12b6c01cc5e770bdbeb76

    SHA512

    353d0196e47c963f62420df99c75a40bcf4db374386bf676edbc990d8c5cb16b74318aefacd9085e9fd860dded035350085f7efea3772b326a6a9867dfba641c

  • C:\Users\Admin\AppData\Local\Temp\msftdm.exe

    Filesize

    2KB

    MD5

    1ba9eb7cdab7a589ebbe6d720ae3c187

    SHA1

    55555de0a07d43a23c4fff84bd4613b9b3c3c104

    SHA256

    2dee3d4a62c04eb8dd0e30dc4ef3eb51dc80e72422d383b44a363ae939d64eea

    SHA512

    374a9d844365b1b1d855f83616c9e2d3cc3b9edaef5428af8022845a2679b38483e9249c686fe5f508a60124cc6fad2fbbf23eab60bd2e492b8366799ad60e74

  • C:\Users\Admin\AppData\Local\Temp\msfteml.dll

    Filesize

    45KB

    MD5

    6a08aa55a1b999b583bdedd896cf6f7e

    SHA1

    1c66b481049cd30967e837b0d1b5a04421ad97a0

    SHA256

    a6b19efc6fc9aa7e8cf722f20fd4e1a40780af255310617c34f9e2dba6efde6b

    SHA512

    c161885bb5c301c986b3d45112cd74b69ea1bb424ff97a5798717e4e506b2d08ca5b993c20e79cb74cb00f2c5d76198b25424b7d15fade3dccaeb30096a383de

  • C:\Users\Admin\AppData\Local\Temp\msftldr.dll

    Filesize

    29KB

    MD5

    ee693e9883f032df2849150b5279a21b

    SHA1

    7f5675e4c9383134fd495aa870d8a4567ae2ce6e

    SHA256

    fee1bd9f37e1925045425e48d97f215b1786b9bf2b11006ddedffc68c753fea4

    SHA512

    11378bf51357bbafbe3479974c4809a051f7cdb7877c00f7de523959160eb4235530037e9624e34434ab6d4e8f982768bea56dc3749c83ffd7fc7c6d2a9e6ab4

  • C:\Users\Admin\AppData\Local\Temp\msftmod.dat

    Filesize

    24B

    MD5

    e21f42c8e892bcb102b45fd92ae946f2

    SHA1

    018c9f80a4f603c12e0f7014fa8c77116434ba09

    SHA256

    1df3a4c0aea1b2cdc377ed1359f27efcfecc4a80c3d1a8a785568fb5552f91a9

    SHA512

    130d4bf292d25b44d68affc26318b033bcd532942f25f0fa78620b934095d6c2ae8ff4c2b2632233eaf25f85deca9f0349cba405b12e0c898254c00329403de1

  • C:\Users\Admin\AppData\Local\Temp\msftstp.exe

    Filesize

    15KB

    MD5

    aaa500a9062eef90ef54a10b47dd38c0

    SHA1

    5aeb7d00518f9598ace234b9c0ce0ef859adccac

    SHA256

    089ed7d7301d5cf8c424d14f766e8a3eec38825eb757b498cc10a752c80d0092

    SHA512

    66884cfbbe637097bd5cdb52c678c78456e41664ac0bc491acb67fbdd48f09cfe5c8c124d5e5232cb80178b018d6199bf9be163f0eab9580ad6a9858d9f42a19

  • C:\Users\Admin\AppData\Local\Temp\msfttcp.dll

    Filesize

    18KB

    MD5

    47a1410f93552cb860134f63e7f08bbd

    SHA1

    05d13a592f4649af3a5f3a9f13cb686a5f29506a

    SHA256

    0dcd59b53093f87990eb9385f272a5d75fdc5b9517d62f5ca303c4ff8484ae6d

    SHA512

    2b18f2890e7690d0fe67c3d6f5962f5081bdc4ffa02e01e07050f061ed551dc54a2aceb52a4200c9f70bdc286c2f2d80c0b071e772952015bb4ee8d0cc6e2f18

  • C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftldr.dll

    Filesize

    58KB

    MD5

    c617801ca4bb75ea00da0cc9af86a20b

    SHA1

    bdc45e976f7f553ebab954549a63def00d65b302

    SHA256

    c3be7740c2f338688bf7040aa1390e275e1c087b0c3dda843d02eab528572da8

    SHA512

    5c4f0c3331201728f05185b556d144128f7e84be72fb24e6553e33ac9e0a987575f2d263d710796f8076c363904ea5ed197891ce07d1efb9cef0cc125f1cfb1f

  • C:\Users\Admin\AppData\Roaming\Identities\vclvclms32\msftcore.dat

    Filesize

    728B

    MD5

    ad0edd8b47944c1178636c94542eacee

    SHA1

    8dd5d8e6cce39944939f40d0c15f78db943d1f2f

    SHA256

    940d8fd23163cbdcdc0eef26c8d333e8e784bd506d50a7deeabda95b0a1d1752

    SHA512

    11e9e6d05fe812e9316e0d00fda75de8bed4fbbee3765f13b653a547f8cea4b92d872f31a944e4fb8661d8b64083af4e94acb7beaa383a685cb90f2d85f07e3c

  • C:\Users\Admin\AppData\Roaming\Identities\vclvclms32\msftcore.dll

    Filesize

    105KB

    MD5

    520004f34edca4a74fc5c3e9d6de36e1

    SHA1

    f799710dcf35d30245f2d4ffc621fc8058f045b4

    SHA256

    57de9ecfcfed78b7e52e41c7314d8dfc61976adb51c83478b16405c3d79b9557

    SHA512

    f3071ef6391222c6689c966051d4d108c2eb56a598d77313b0b1d912d87e3f67709896f735e6928ebc823214c48e551c1fea3aef8e8bb5361785e6f32b11c43f

  • C:\Users\Admin\AppData\Roaming\Identities\vclvclms32\msfteml.dll

    Filesize

    88KB

    MD5

    431281eb6636a49003c134ad75038139

    SHA1

    07a74b28bdc347e6936031a5d6f0ddff97c3cc50

    SHA256

    cbc61c7335c477fa72e5aba70de44ea0df37625372724332c377196af1c083dd

    SHA512

    1dedf42c0de7eb8cb9f5c6d425358ced05e37dded947c20a9996b32f6cec6753b08cec73413fc134ba7d282dbc60afb3136b20c96bcbf26a14b7717d591e2bc6

  • C:\Users\Admin\AppData\Roaming\Identities\vclvclms32\msfttcp.dll

    Filesize

    37KB

    MD5

    2506cecf663b4a961c65a9d7e9ef795a

    SHA1

    6262efdd2eba424474f6c2aac20913b3e588aaab

    SHA256

    baa21cee7ec40eb612ab70ef6d801cbb1645f9da9c827bf0d59d2e65d5646b52

    SHA512

    f97c35653d03ceb134ff34a912f7a8ca71e67e35a623ebe8f7470d4fd13e0df54ae5c617e23f15354de43f3a2ac762f57a42fb882f1204b0633b2d5fb91cb570

  • \Users\Admin\AppData\Roaming\Identities\vclvclms32\msftstp.exe

    Filesize

    31KB

    MD5

    c1883400de568d13ac385424dfdac922

    SHA1

    89346038c164a66d441369d7a6e757af8db44089

    SHA256

    42dd97b432e39b5d8580d1a336f7c392c51ee5a9207f31b28a406dd97d4b7eaf

    SHA512

    5ed7d7fdc26c4790ab06163c488998288c05ae7a27807b7dd79771d8570f9e9653b2a6d5c8c12e12636f8228b09c6ed9af671a327c04a2a8c4daee22267fb6af

  • memory/1100-96-0x0000000000290000-0x00000000002B3000-memory.dmp

    Filesize

    140KB

  • memory/1100-107-0x0000000000230000-0x000000000025D000-memory.dmp

    Filesize

    180KB

  • memory/1100-112-0x0000000000230000-0x000000000023D000-memory.dmp

    Filesize

    52KB

  • memory/2412-98-0x0000000000280000-0x00000000002AD000-memory.dmp

    Filesize

    180KB

  • memory/2412-110-0x00000000002F0000-0x00000000002FD000-memory.dmp

    Filesize

    52KB

  • memory/2476-1-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

  • memory/2476-89-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB