Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2074ab715f...18.exe

windows7-x64

7

2074ab715f...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2024, 11:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2074ab715fdd1eeb21ebe7af4d7a08a0_JaffaCakes118.exe

  • Size

    8.9MB

  • MD5

    2074ab715fdd1eeb21ebe7af4d7a08a0

  • SHA1

    868968c4653578a9b1e22a77981f2df8421975cc

  • SHA256

    575175e7a4e9f822848f4d0a4486bb01cbd182716aee6dc34d450dcc1a07af09

  • SHA512

    fe9f1b4aedc79cb6697b937ca23a0a55b33a5703dc200dd1eba5e7afe6f917a5fc6fec228a4fc7cdd92b398af7f8649c0c0a66c281e09d1b47b00dbab04b85a2

  • SSDEEP

    196608:8Bazg7DSmBazg7DSm8Bazg7DSmBazg7DSmn:Rg7uDg7uIg7uDg7uA

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2074ab715fdd1eeb21ebe7af4d7a08a0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2074ab715fdd1eeb21ebe7af4d7a08a0_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1396
    • C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f
      2⤵
      • Adds Run key to start application
      • Modifies registry key
      PID:1104
    • C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
      "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
        "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:388
    • C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
      "C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"
      2⤵
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
    Filesize

    8.9MB

    MD5

    4d8b6bc510429f3a92a43bf0280b4c68

    SHA1

    fc7efc34053a8c868c008198c24ff56c9ed954b1

    SHA256

    3d924cc6e927bcbea8140cb0c1759bb9ed4b7c868f9cfd9f98b2dc60ed310048

    SHA512

    5ad9514926527aff62472ecc8d4035cf54cfc358abab090ef727e59db5b86349327f4174179922b0fe612fba79188777ee86f2e007f141a2749e5823d537a0d4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
    Filesize

    1.0MB

    MD5

    a2f259ceb892d3b0d1d121997c8927e3

    SHA1

    6e0a7239822b8d365d690a314f231286355f6cc6

    SHA256

    ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420

    SHA512

    5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

    Download Submit

  • memory/388-34-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/388-31-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/388-39-0x00000000006A0000-0x00000000006A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/388-35-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/388-38-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/388-44-0x00000000006A0000-0x00000000006A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/388-41-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1396-24-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1396-0-0x0000000000810000-0x0000000000811000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1396-11-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1396-1-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1796-29-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1796-33-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1796-12-0x00000000008A0000-0x00000000008A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-30-0x0000000000400000-0x00000000004FB000-memory.dmp

    Filesize

    1004KB

    Download

  • memory/2116-37-0x00000000023F0000-0x00000000023F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-28-0x0000000002510000-0x0000000002511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-25-0x00000000023F0000-0x00000000023F1000-memory.dmp

    Filesize

    4KB

    Download