Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

022cdd46e1...18.exe

windows7-x64

7

022cdd46e1...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2024, 09:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe

  • Size

    463KB

  • MD5

    022cdd46e12a85a8d03339eba5b19997

  • SHA1

    efdd42cddb3acf19f5304e9072cfb5fc7da6d32e

  • SHA256

    c8d543bd6e7932a1ec3dc31da1743ff78878eff55a741d276ef8f3f5bae73575

  • SHA512

    23b9f6c3bff1333939861fa231f5b40652bc15e40f0c04ac6cf89326ce65c579e02842c5f9fdb6117d237c240d446e9e0e93559002c0176ad12ac4a307a5fe69

  • SSDEEP

    6144:47kWcDpi78KSrafqV5areuyFwBqgmGNGXN/O8OCLF1Lkl1QMyBVk/7bgRmg+LAKG:47lc87eqqV5e+wBV6O+K/Cm1Lxgp

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of UnmapMainImage
    PID:3388
    • C:\Users\Admin\AppData\Local\Temp\022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Users\Admin\AppData\Roaming\dxdiedit\ARPfmon.exe
        "C:\Users\Admin\AppData\Roaming\dxdiedit"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3612
        • C:\Users\Admin\AppData\Local\Temp\~4B41.tmp
          3388 474632 3612 1
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2408
  • C:\Windows\SysWOW64\back_isv.exe
    C:\Windows\SysWOW64\back_isv.exe -s
    1⤵
    • Executes dropped EXE
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~4B41.tmp
    Filesize

    8KB

    MD5

    86dc243576cf5c7445451af37631eea9

    SHA1

    99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

    SHA256

    25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

    SHA512

    c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\dxdiedit\ARPfmon.exe
    Filesize

    463KB

    MD5

    17f4bcd6c7076d89dd0579616456e63d

    SHA1

    63dcabd37ecaa191fc2c0d4fc1d9dff757c08f91

    SHA256

    c0119720567d95c4aacbeace1d36265ba25557a3f5430736d9edc7423e15ed5c

    SHA512

    64e5b30e617ea78a89dbff86a158db9f1507b4f8f6ece7b0f2505bb9ecb603552963ab3cbd60f70fc7404ac9199e62785a2515c7f603f5039ba38b18be06853b

    Download Submit

  • memory/1932-1-0x0000000000700000-0x000000000077C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/1932-0-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/1932-20-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2944-16-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/3388-23-0x00000000084A0000-0x00000000084A6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3388-15-0x0000000008330000-0x00000000083B3000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3388-19-0x0000000008330000-0x00000000083B3000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3388-24-0x00000000084B0000-0x00000000084BD000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3612-7-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/3612-17-0x0000000000630000-0x0000000000635000-memory.dmp

    Filesize

    20KB

    Download

  • memory/3612-12-0x0000000000550000-0x00000000005CC000-memory.dmp

    Filesize

    496KB

    Download