Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2024, 05:49

General

  • Target

    JaffaCakes118_7209361149706baa9059d776cc8e67104b44d73d4fc17e9836da997c00640870.ps1

  • Size

    640B

  • MD5

    07f4a138267c2c7816c6452e03f35a6d

  • SHA1

    99bc5bffa4ab51627af531efb3f129588d442ae1

  • SHA256

    7209361149706baa9059d776cc8e67104b44d73d4fc17e9836da997c00640870

  • SHA512

    5c9005c81c39351cfc148ce6d5599caf083b9a6fc10c2ba99e0f3b691cf378f13a9fc61923930c47341e7f3213f6213501e18c6fdc3e1d1f9ba7de49654f970c

Malware Config

Signatures

  • Golang Generic Botnet

    A botnet written in golang not attributed to a particular actor.

  • Golang_generic_botnet family
  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • OS Credential Dumping: LSASS Memory 1 TTPs

    Malicious access to Credentials History.

  • XMRig Miner payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 10 IoCs
  • VMProtect packed file 6 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • GoLang User-Agent 4 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Kills process with taskkill 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7209361149706baa9059d776cc8e67104b44d73d4fc17e9836da997c00640870.ps1
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im service.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +S +H .git
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:2716
    • C:\Users\Admin\AppData\Local\Temp\.git\service.exe
      "C:\Users\Admin\AppData\Local\Temp\.git\service.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Windows\system32\cmd.exe
        cmd /c "wmic process get ProcessID,ExecutablePath /format:csv"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic process get ProcessID,ExecutablePath /format:csv
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2928
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im inj.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2644
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im runtime.dll
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:992
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im autoupdate.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2188
      • C:\Users\Admin\AppData\Local\Temp\.git\autoupdate.exe
        C:\Users\Admin\AppData\Local\Temp\.git/autoupdate.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Users\Admin\AppData\Local\Temp\.git\procdump.exe
          C:\Users\Admin\AppData\Local\Temp\.git/procdump.exe -accepteula -ma lsass.exe C:\Users\Admin\AppData\Local\Temp\.git/1.dmp
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1644
          • C:\Users\Admin\AppData\Local\Temp\.git\procdump64.exe
            C:\Users\Admin\AppData\Local\Temp\.git/procdump.exe -accepteula -ma lsass.exe C:\Users\Admin\AppData\Local\Temp\.git/1.dmp
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2580
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im updater.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2220
      • C:\Users\Admin\AppData\Local\Temp\.git\updater.exe
        C:\Users\Admin\AppData\Local\Temp\.git/updater.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1468
      • C:\Users\Admin\AppData\Local\Temp\.git\service.exe
        C:\Users\Admin\AppData\Local\Temp\.git\service.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2292
        • C:\Windows\system32\cmd.exe
          cmd /c "wmic process get ProcessID,ExecutablePath /format:csv"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1772
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic process get ProcessID,ExecutablePath /format:csv
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2128
        • C:\Windows\system32\cmd.exe
          C:\\Windows\system32\cmd.exe /c "schtasks.exe /create /tn winupdate /tr C:\Users\Admin\AppData\Local\Temp\.git\service.exe /sc DAILY /st 02:39 /F"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2596
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn winupdate /tr C:\Users\Admin\AppData\Local\Temp\.git\service.exe /sc DAILY /st 02:39 /F
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\.git\.dn

    Filesize

    15B

    MD5

    5447995d0b03d4e6ce84c6103f3e9c1a

    SHA1

    955c984f6032dc1654dfdf60a9408d89bc9f5ef7

    SHA256

    0eb876d6880f037026caa7942298b0e6d62cf1a17f3fcd91deea69984e9becc7

    SHA512

    98a2693ed7555aa88b549f093e1ce5d66b993b47cde09fd746666a5d9d02fa836875373b7edcb1c267be2ef908eb6b472a46f777f93c79c00651e3c8f10927ca

  • C:\Users\Admin\AppData\Local\Temp\.git\.runtime.dll_ver.txt

    Filesize

    8B

    MD5

    0a00adbb498e37d158d48f9dd345ba92

    SHA1

    4d57a6abc49cdd77ff18d95cc5fbbfe7c45a0a95

    SHA256

    8eda86b7e7de00ed44b547708a959eee5d30d97c9cdbdabf3d7947ca35ed7f6c

    SHA512

    0f16f5bb1aedab9c27ab78c46a0db032b187203582c22f75a2a62a40433ef19e623c4ef03f826ee4db9bec3eaf12b880972e3a4615ed4cd757171c4e09a79967

  • C:\Users\Admin\AppData\Local\Temp\.git\.service.exe_ver.txt

    Filesize

    8B

    MD5

    8aa5afe73c111a6782400cc822d8db2e

    SHA1

    429f0164f48639c16e9bad5b234ff5ebe0fa467c

    SHA256

    79b90f581ce75bf494a26513a31845b405afe1e93e6b753f9fb2e69df8f843dd

    SHA512

    4d8adbf48633e3ef75895bfd43b5923ea7ac2049770e2d7fd1213df05f9e8a34f153d99d8d5c16f525ab1be4c042d8111ebd0ae1b3c456eee98626dd6b094657

  • C:\Users\Admin\AppData\Local\Temp\.git\.updater.exe_ver.txt

    Filesize

    8B

    MD5

    7051e24693839d5b7b4a8f9c66cd0b41

    SHA1

    b05224fe5315ab79023104fe202b48ae8b772237

    SHA256

    f42993b65cf84a27362e2d7721213c02915585904908408798371f2b58e0dcd2

    SHA512

    eac9259bcb3e3e85655da51c1170308430cdd89515cf9f78c887374f73789d345175be9b7d0326f1592ec980de2b6972ef214f304d3e0e1bb05d0d7244d322a2

  • C:\Users\Admin\AppData\Local\Temp\.git\1.dmp

    Filesize

    32.3MB

    MD5

    7c1ed6043086f8a83ba5800fb69bb8ab

    SHA1

    ce648023ade2b00d8dcc76e95d9681779a712980

    SHA256

    1330685c1674d56bb7b4d371d3793c9f5b1ba11ef902c34391cdeaf3897564b8

    SHA512

    876bab57347bba8b0eca7401d3fecbb376a1aa277e9a4c0875db83acc6678c9a595f257babb1fb1d68acc5ab27f512b88ba8f26dfc73aa9d2cb7c4e7f7712943

  • C:\Users\Admin\AppData\Local\Temp\.git\procdump.exe

    Filesize

    467KB

    MD5

    bc314fe72007a259d9dd240e667bf11b

    SHA1

    5fa5ac5636a9aa3a76fc817be34235bd568e4911

    SHA256

    40565c3eddddca825a7d33c2047e254a8549ea243dcb0e41acbf6a99a70d61b5

    SHA512

    5c6b107b3805ac1ea18ed658931ee61dbbfe8d215045b786b2c2ecbfb07ddae4d15de24ff43469d920c5ed397cb2dde288e77d6549b248e62fb8cbd55f1b664a

  • \Users\Admin\AppData\Local\Temp\.git\autoupdate.exe

    Filesize

    13.3MB

    MD5

    aacad55a1ea4fabcc73900aa4210e85c

    SHA1

    579a06b7425ace38586df4a2e292bc1da263a9e4

    SHA256

    981b57cd68f45ebc4feb9f5d4395d1222b5628dcb4c1b5d6b4adc3d61efedfb6

    SHA512

    2c6892b8c54191a5829b387c966506ad88d5565d136edb7d0d0842a70fe4e0354b4b672c933257bc0ec34ffa011da613bc332729eb0c5501b2e112b135930285

  • \Users\Admin\AppData\Local\Temp\.git\procdump64.exe

    Filesize

    246KB

    MD5

    761edcfd13225e3351c3905bd85a5718

    SHA1

    8f7e3201b9c485b8670397a390e8465e6861f660

    SHA256

    b085f7357254c9c04571478a216d54f1347418def5c8aa7c72fb3decdf096e36

    SHA512

    2ba10b2881b24bd0ec5ab0f58da68bd53002cf3596a3e34334f8c1e450f65a33246126227bc88ef05136342ce0dc41acd8d0ebd47c66514ecf7c0842f1e14f23

  • \Users\Admin\AppData\Local\Temp\.git\service.exe

    Filesize

    7.6MB

    MD5

    b87a2e1c3fc2d716b3dd94b462aa52b0

    SHA1

    c67972af2c5aed36f3450e9392d4bd05af1e8924

    SHA256

    7463a86077e9757a5e4598e107829e208846e1c5d5e538c091c880d08949d64d

    SHA512

    94f8a6841d8e6c6760896d1d02daa0610fe5013715fc17da350e1424b9513980b286af2fa2fc3d809b9d6c6d1eff7c608f431accac69017be332bb92b487639b

  • \Users\Admin\AppData\Local\Temp\.git\updater.exe

    Filesize

    8.2MB

    MD5

    2b0d39f377e1283cd6ecb1a5f5504990

    SHA1

    a1720953cdcc5dd7f4aaa9815f28d98936188512

    SHA256

    e1a80dfa69b6d673c046d95e0cd8aa1ca30c382828a402626b21cd90f1ee3447

    SHA512

    8044df245c168a712846f1af2f60a584365172f31f21864a50da4c372387e18dd6aac0708252d2e4999401f69e5a8fd6d68925c67b84510159fa0207e8bcb620

  • memory/1468-81-0x00000000002F0000-0x0000000000310000-memory.dmp

    Filesize

    128KB

  • memory/1468-75-0x0000000077870000-0x0000000077872000-memory.dmp

    Filesize

    8KB

  • memory/1468-77-0x000000013FC20000-0x0000000141A55000-memory.dmp

    Filesize

    30.2MB

  • memory/1996-93-0x00000000009E0000-0x0000000001B3F000-memory.dmp

    Filesize

    17.4MB

  • memory/1996-29-0x0000000077870000-0x0000000077872000-memory.dmp

    Filesize

    8KB

  • memory/1996-31-0x00000000009E0000-0x0000000001B3F000-memory.dmp

    Filesize

    17.4MB

  • memory/1996-27-0x0000000077870000-0x0000000077872000-memory.dmp

    Filesize

    8KB

  • memory/1996-25-0x0000000077870000-0x0000000077872000-memory.dmp

    Filesize

    8KB

  • memory/2292-101-0x0000000000C40000-0x0000000001D9F000-memory.dmp

    Filesize

    17.4MB

  • memory/2292-99-0x0000000077870000-0x0000000077872000-memory.dmp

    Filesize

    8KB

  • memory/2420-55-0x0000000077870000-0x0000000077872000-memory.dmp

    Filesize

    8KB

  • memory/2420-56-0x0000000000F60000-0x0000000003835000-memory.dmp

    Filesize

    40.8MB

  • memory/2756-4-0x000007FEF64FE000-0x000007FEF64FF000-memory.dmp

    Filesize

    4KB

  • memory/2756-11-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

    Filesize

    9.6MB

  • memory/2756-24-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

    Filesize

    9.6MB

  • memory/2756-10-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

    Filesize

    9.6MB

  • memory/2756-9-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

    Filesize

    9.6MB

  • memory/2756-8-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

    Filesize

    9.6MB

  • memory/2756-7-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

    Filesize

    9.6MB

  • memory/2756-6-0x0000000002970000-0x0000000002978000-memory.dmp

    Filesize

    32KB

  • memory/2756-5-0x000000001B590000-0x000000001B872000-memory.dmp

    Filesize

    2.9MB