Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

e254e285f1...18.exe

windows7-x64

7

e254e285f1...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe

  • Size

    88KB

  • MD5

    e254e285f1729936cf9e30e1c098271c

  • SHA1

    653cf3782b7b9129a98c6fbad8cf885fe0bde227

  • SHA256

    79fe90ff4ac1f24d4f0305d1f31adcb2cb276d1b6a6260e547a8e7ec81c104e5

  • SHA512

    1f3c5de3148a3b6b9dbc9fa49fd2591670bc08a18563c59c1cf8361eef65bd5293267d6bd58a6b1b52819f1938af52c74a103eeaa1055117729dae9ad25fcc03

  • SSDEEP

    1536:scNjQlsWjcdiTuXbELbGn82i+beo/47Og:vjr5ELbGnzi+ao/Cf

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Zp7tsdWxXjYlYkJ.exe
    Filesize

    88KB

    MD5

    aff676f2e33413d9380bc0c8a194960e

    SHA1

    8389ddad1098a2a8ca16e3164ea2cd878a682416

    SHA256

    2fb1483dd80195d1e6b4e73eae9da166c1569acabd181030b371d410a495472c

    SHA512

    508db10b9cf91eb24d748197fee26fe46f3b57d1b7a85b2b73a11728466d09a1a4dcebedf0ee4ef2ceded94805b9274abb9f7604159543fa59897921a9f4db2e

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    82KB

    MD5

    796f4df6e89c638054b20b09ba1f28e5

    SHA1

    80e5f4e74a798f180f27f9b3dccb3c7461511d7d

    SHA256

    3293c5e8c2a49b5c7e2ba41c33e49d894137e25b672f19df5100bb9042bda402

    SHA512

    687860ab619a797cf2d459b0b3324bfca2f5c2b5eb92b2114b423326e1d56e872022000b4402687382c66c3ccf7d061a7f4fd0cf9cafcd5417fb6e096d7e1887

    Download Submit

  • memory/1144-13-0x0000000000830000-0x0000000000849000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2276-0-0x00000000010C0000-0x00000000010D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2276-12-0x00000000002C0000-0x00000000002D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2276-9-0x00000000010C0000-0x00000000010D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2276-8-0x00000000002C0000-0x00000000002D9000-memory.dmp

    Filesize

    100KB

    Download