Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15/12/2024, 08:05

General

  • Target

    f311ed4e14e3fd2e6b7a654021e9fc46_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    f311ed4e14e3fd2e6b7a654021e9fc46

  • SHA1

    4f38463f0a2719701c5351df1c9e7e205764f39f

  • SHA256

    f6210a60289f284600428b1cb4975eab8a326f49644667ef98d83377128615f2

  • SHA512

    9c22995ada407d940d257f4d72461b40415989708fd5678c5aacdb1cef3237fac75e410971f6bc7caab6a4d9e039bddffb7e3db42302647d3fa6ea29df6b59fd

  • SSDEEP

    24576:aSyLtIBYWFkfV0hfPnZBdWGktI7ie8ydTF4EWCX:WKBlNfPjd1ktOie8y1FzX

Malware Config

Signatures

  • Troldesh family
  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f311ed4e14e3fd2e6b7a654021e9fc46_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f311ed4e14e3fd2e6b7a654021e9fc46_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of UnmapMainImage
    PID:2968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2968-0-0x0000000002060000-0x0000000002134000-memory.dmp

    Filesize

    848KB

  • memory/2968-1-0x0000000000400000-0x0000000000607000-memory.dmp

    Filesize

    2.0MB

  • memory/2968-2-0x0000000000400000-0x0000000000607000-memory.dmp

    Filesize

    2.0MB

  • memory/2968-3-0x0000000000400000-0x0000000000607000-memory.dmp

    Filesize

    2.0MB

  • memory/2968-5-0x0000000000400000-0x0000000000607000-memory.dmp

    Filesize

    2.0MB

  • memory/2968-4-0x0000000000400000-0x0000000000607000-memory.dmp

    Filesize

    2.0MB

  • memory/2968-8-0x0000000000400000-0x0000000000607000-memory.dmp

    Filesize

    2.0MB

  • memory/2968-7-0x0000000000400000-0x0000000000607000-memory.dmp

    Filesize

    2.0MB

  • memory/2968-11-0x0000000002060000-0x0000000002134000-memory.dmp

    Filesize

    848KB

  • memory/2968-12-0x0000000000400000-0x0000000000607000-memory.dmp

    Filesize

    2.0MB

  • memory/2968-13-0x0000000000400000-0x0000000000607000-memory.dmp

    Filesize

    2.0MB