Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

e7e5f45c08...18.exe

windows7-x64

7

e7e5f45c08...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/04/2024, 16:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe

  • Size

    796KB

  • MD5

    e7e5f45c08217fa45e040ad30949ef00

  • SHA1

    5af719ba1edabaee93e1df32a6063e8a8bd26b14

  • SHA256

    8176776decc15e74c2c1ce7123fbf09cbabcef9c6f033e6adefffde26d00c61b

  • SHA512

    3d558b7072d8cad6d01ba517f2038cf2c7c4ea851c593f6d362c7addecb1d406dde356e182cf33b54a678f0ddf7e78042160448532f17cc34183c1a48cdb0aaf

  • SSDEEP

    12288:+vOtc+qr3vR/eg9AC3UFrZ6Th/6slwiGawbgGWVPZU:UOFqrp/ZVEFrZ6TR1lSQGWVa

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 24 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 24 IoCs
  • Drops file in System32 directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 64 IoCs
    evasion
  • Modifies registry class 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
      "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2288
      • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
        "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:868
        • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
          "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Modifies Control Panel
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:740
          • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
            "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Modifies Control Panel
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:5064
            • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
              "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Modifies Control Panel
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4548
              • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
                "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in System32 directory
                • Drops file in Windows directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:4780
                • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
                  "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Drops file in Windows directory
                  • Modifies Control Panel
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2928
                  • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
                    "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Drops file in Windows directory
                    • Modifies Control Panel
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2044
                    • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
                      "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Drops file in Windows directory
                      • Modifies Control Panel
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:3916
                      • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
                        "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
                        11⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Drops file in Windows directory
                        • Modifies Control Panel
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2580
                        • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
                          "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
                          12⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Drops file in Windows directory
                          • Modifies Control Panel
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:1704
                          • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
                            "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
                            13⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Drops file in Windows directory
                            • Modifies Control Panel
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:3220
                            • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
                              "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
                              14⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Drops file in Windows directory
                              • Modifies Control Panel
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:3092
                              • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
                                "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
                                15⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • Drops file in Windows directory
                                • Modifies Control Panel
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:1192
                                • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
                                  "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
                                  16⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • Drops file in Windows directory
                                  • Modifies Control Panel
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:3048
                                  • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
                                    "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
                                    17⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Drops file in Windows directory
                                    • Modifies Control Panel
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:1680
                                    • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
                                      "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
                                      18⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • Drops file in Windows directory
                                      • Modifies Control Panel
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:5064
                                      • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
                                        "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
                                        19⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Drops file in Windows directory
                                        • Modifies Control Panel
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:636
                                        • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
                                          "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
                                          20⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • Drops file in Windows directory
                                          • Modifies Control Panel
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:4464
                                          • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
                                            "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
                                            21⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • Drops file in Windows directory
                                            • Modifies Control Panel
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:4472
                                            • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
                                              "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
                                              22⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • Drops file in Windows directory
                                              • Modifies Control Panel
                                              • Modifies registry class
                                              • Suspicious use of WriteProcessMemory
                                              PID:3860
                                              • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
                                                "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
                                                23⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • Drops file in Windows directory
                                                • Modifies Control Panel
                                                • Modifies registry class
                                                PID:4044
                                                • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
                                                  "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
                                                  24⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • Drops file in Windows directory
                                                  • Modifies Control Panel
                                                  • Modifies registry class
                                                  PID:5032
                                                  • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
                                                    "C:\Windows\system32\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe"
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • Drops file in Windows directory
                                                    • Modifies Control Panel
                                                    PID:2448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\IsUn0804.exe
    Filesize

    796KB

    MD5

    ab60aa7958d83917500150668087ed5b

    SHA1

    6884f87da09b76c5060bcd08915c62fcd35b4f0c

    SHA256

    f45f18837d9dce299d9523fb3b7445736adb36a360b4f6b2e6f5e3b40be44ca0

    SHA512

    3e50dc40bbd34c19c106a1ccc207d4b96285857e4c5df0bc667e56c7cb898d441d19c82574acba7ef54e48a4e9e87c28fd3f908efe6bd46229116a6bd5711f2d

    Download Submit

  • C:\Windows\SysWOW64\e7e5f45c08217fa45e040ad30949ef00_JaffaCakes118.exe
    Filesize

    796KB

    MD5

    e7e5f45c08217fa45e040ad30949ef00

    SHA1

    5af719ba1edabaee93e1df32a6063e8a8bd26b14

    SHA256

    8176776decc15e74c2c1ce7123fbf09cbabcef9c6f033e6adefffde26d00c61b

    SHA512

    3d558b7072d8cad6d01ba517f2038cf2c7c4ea851c593f6d362c7addecb1d406dde356e182cf33b54a678f0ddf7e78042160448532f17cc34183c1a48cdb0aaf

    Download Submit

  • memory/636-167-0x00000000009C0000-0x00000000009C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/636-172-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/740-31-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/740-33-0x00000000008B0000-0x00000000008B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/740-43-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/868-23-0x0000000002370000-0x0000000002371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/868-32-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/1192-134-0x00000000006C0000-0x00000000006C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1192-144-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/1680-161-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/1680-153-0x0000000002170000-0x0000000002171000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1704-116-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/1704-107-0x00000000009B0000-0x00000000009B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2044-89-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/2044-79-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/2044-81-0x00000000008C0000-0x00000000008C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2288-22-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/2288-14-0x00000000006A0000-0x00000000006A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2448-200-0x00000000007C0000-0x00000000007C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2448-199-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/2580-108-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/2580-99-0x00000000009C0000-0x00000000009C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-71-0x00000000006C0000-0x00000000006C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-80-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/3048-154-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/3048-145-0x0000000000570000-0x0000000000571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3048-143-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/3092-126-0x0000000000570000-0x0000000000571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3092-135-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/3220-117-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/3220-125-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/3860-183-0x00000000008B0000-0x00000000008B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3860-188-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/3860-182-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/3904-1-0x00000000006F0000-0x00000000006F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3904-0-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/3904-13-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/3916-90-0x00000000009C0000-0x00000000009C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3916-98-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/4044-192-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/4044-187-0x0000000002360000-0x0000000002361000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4464-176-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/4464-171-0x00000000007C0000-0x00000000007C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4472-177-0x00000000007A0000-0x00000000007A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4472-181-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/4548-53-0x0000000000680000-0x0000000000681000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4548-52-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/4548-62-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/4780-70-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/4780-61-0x00000000009B0000-0x00000000009B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5032-198-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/5032-193-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/5032-194-0x0000000002270000-0x0000000002271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5064-51-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/5064-41-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/5064-162-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5064-160-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/5064-166-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/5064-42-0x00000000006B0000-0x00000000006B1000-memory.dmp

    Filesize

    4KB

    Download