Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2025, 01:39

General

  • Target

    JaffaCakes118_1ccfa7176d202069491a7f360756cfa2.exe

  • Size

    194KB

  • MD5

    1ccfa7176d202069491a7f360756cfa2

  • SHA1

    ae6c848d2d31cd916a14445cb13344c589e53038

  • SHA256

    c180c6ba9f85cd3820a4400b1dcad7e156b55733c548e2cea4221e7f77acce2c

  • SHA512

    931081031d6d0205ef0bcb02e06f1302fecaa4491b71c10ab56b28671b739c24d274bb059f508a28f96586adcb276df7485bef673c412738762104b817b2bcfc

  • SSDEEP

    1536:bm8xOWWrs/wNYw8sE/2VP+sEM35ny/fUix:bm1TrNwudRTNYci

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ccfa7176d202069491a7f360756cfa2.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ccfa7176d202069491a7f360756cfa2.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
        • Modifies WinLogon for persistence
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        PID:2444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html

    Filesize

    401KB

    MD5

    5c1e358333c4d961605afa3b250e2d01

    SHA1

    1593bbd3c89a389eaa76bd93707899136c47a1cd

    SHA256

    1ffae8f105b06bf4845485ded9c31def0b776fd81592bfef81f06aea7bbdedaf

    SHA512

    9aa8e9d98b1b7ac004cdd3ea75d53c2b90c4c335ce23b37dafc8f53b9e966cde1e4f8ab79d56e59ab1f1138784eb4f95ea89790950eeb1955ee00d5f79656da6

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html

    Filesize

    398KB

    MD5

    7e9d12ee9fcb192eaad471fc776b8fd0

    SHA1

    d57e9d3ba522141b5c8fee94a68d0d62be39cccc

    SHA256

    466ff7e135d68fb676e9f4b18ec506a6ece207402783adb8e9725a29c4ccc02c

    SHA512

    ec3c10482aa497b05ee1852259435339154fdbbd8605aa090de413a45e5f0677b63f0e8db4da2c634d6ac608ce74ac7a9d673fb929f8f64a469489143927960d

  • \Program Files (x86)\Microsoft\WaterMark.exe

    Filesize

    194KB

    MD5

    1ccfa7176d202069491a7f360756cfa2

    SHA1

    ae6c848d2d31cd916a14445cb13344c589e53038

    SHA256

    c180c6ba9f85cd3820a4400b1dcad7e156b55733c548e2cea4221e7f77acce2c

    SHA512

    931081031d6d0205ef0bcb02e06f1302fecaa4491b71c10ab56b28671b739c24d274bb059f508a28f96586adcb276df7485bef673c412738762104b817b2bcfc

  • memory/1732-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

  • memory/1732-0-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1732-3-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1732-11-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2444-22-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

  • memory/2444-33-0x0000000020010000-0x0000000020020000-memory.dmp

    Filesize

    64KB

  • memory/2444-43-0x0000000020010000-0x0000000020020000-memory.dmp

    Filesize

    64KB

  • memory/2444-39-0x0000000020010000-0x0000000020020000-memory.dmp

    Filesize

    64KB

  • memory/2444-20-0x0000000020010000-0x0000000020020000-memory.dmp

    Filesize

    64KB

  • memory/2444-26-0x00000000000A0000-0x00000000000A1000-memory.dmp

    Filesize

    4KB

  • memory/2444-27-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

  • memory/2444-35-0x0000000020010000-0x0000000020020000-memory.dmp

    Filesize

    64KB

  • memory/2444-32-0x0000000000090000-0x0000000000091000-memory.dmp

    Filesize

    4KB

  • memory/2444-28-0x0000000020010000-0x0000000020020000-memory.dmp

    Filesize

    64KB

  • memory/2996-18-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2996-16-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2996-42-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2996-17-0x0000000000320000-0x0000000000321000-memory.dmp

    Filesize

    4KB

  • memory/2996-14-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2996-13-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB