Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

e96a9dbcc0...18.exe

windows7-x64

10

e96a9dbcc0...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2024, 07:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe

  • Size

    336KB

  • MD5

    e96a9dbcc089237f78ec8c2fb417cd43

  • SHA1

    3bd4a49dc3efe6a3ad06e67a8dc4bae8a8a8b6c4

  • SHA256

    c06acd7f6f4c44fc52d9f07b430079e12dc1b857c346818f0bd2064774d8df7b

  • SHA512

    386fc40141d7a8e4295b1c00959eacb6414c3d450ec02bae6449bc3183dc5d9212098471d8023e2101ecba82595811273e98cd1a0128479511adac3a7936c1aa

  • SSDEEP

    6144:208bRhsVZdfF8oVnzhstpwQvK+w8B0aRGJi4oAle0esKPUN4b8j7xyUg5JVcS:2B4V/fFbUpwTn8GJi4cxUN4b8jkUg5Jm

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of UnmapMainImage
    PID:3536
    • C:\Users\Admin\AppData\Local\Temp\e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:456
      • C:\Users\Admin\AppData\Local\32698158\X
        193.105.154.210:80
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2312
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Deletes itself
        PID:4184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\32698158\X
    Filesize

    41KB

    MD5

    686b479b0ee164cf1744a8be359ebb7d

    SHA1

    8615e8f967276a85110b198d575982a958581a07

    SHA256

    fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b

    SHA512

    7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64

    Download Submit

  • memory/456-2-0x00000000000C0000-0x00000000001C0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/456-1-0x0000000000400000-0x00000000004623D8-memory.dmp

    Filesize

    392KB

    Download

  • memory/456-9-0x0000000000400000-0x00000000004623D8-memory.dmp

    Filesize

    392KB

    Download

  • memory/456-11-0x0000000000400000-0x00000000004623D8-memory.dmp

    Filesize

    392KB

    Download

  • memory/3536-8-0x0000000000760000-0x0000000000768000-memory.dmp

    Filesize

    32KB

    Download