Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

f261e49f87...18.exe

windows7-x64

7

f261e49f87...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    16/04/2024, 01:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f261e49f87f2f676581efccdd9cd1c5b_JaffaCakes118.exe

  • Size

    3.7MB

  • MD5

    f261e49f87f2f676581efccdd9cd1c5b

  • SHA1

    6a56aacca3ec44fcbb9f4b34a89ca0b755c9f37d

  • SHA256

    b5175545eb88c620b852568657049e0f94a58d4cd5bb754009e11f9f896bfc94

  • SHA512

    aa1d8f2dce42cf6a2f03a3ba12d9cb1e18ff7700af43fe05d6a453ef8082e6bc4df3428cf39aa9cc70c16798a5d85dff40360a6608d877bed7ff1944b5775896

  • SSDEEP

    49152:PcW4fRrLu9vsDVZiqapea6+z7YF3pT4F+UV+fZuedCVCEii3a1Z6yXPRUaP7x7B8:PX4RLu90EZpBYlpTusU0CUNyazx14

Score
7/10
discoveryupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f261e49f87f2f676581efccdd9cd1c5b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f261e49f87f2f676581efccdd9cd1c5b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Users\Admin\AppData\Local\Temp\is-BFF13.tmp\f261e49f87f2f676581efccdd9cd1c5b_JaffaCakes118.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-BFF13.tmp\f261e49f87f2f676581efccdd9cd1c5b_JaffaCakes118.tmp" /SL5="$400E0,3170628,721408,C:\Users\Admin\AppData\Local\Temp\f261e49f87f2f676581efccdd9cd1c5b_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Program Files (x86)\Repellendus\sunt\Qui.exe
        "C:\Program Files (x86)\Repellendus/\sunt\Qui.exe" a0c8de61c5272da0be469b96655f3de5
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:2656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Program Files (x86)\Repellendus\sunt\Qui.exe
    Filesize

    2.4MB

    MD5

    94baa1c38d52d95ad2e6fbb1610df5d7

    SHA1

    8e8824d062f7f8eb478efb76ba653deaffc3eeb1

    SHA256

    92eeb640e485294b8ad4c6a9aec482233ee2eedb8a70bb0e94d2a4c4b21d2e19

    SHA512

    86fee4378677e8319e7c2506e0767122f5bc2c99ddc1ea09ed0f1df4be1301fdf8733bdd6a27f8ae56f19898030109f67f2fc23f7d8728547371728b2da4e7ae

    Download Submit

  • \Program Files (x86)\Repellendus\sunt\sqlite3.dll
    Filesize

    630KB

    MD5

    e477a96c8f2b18d6b5c27bde49c990bf

    SHA1

    e980c9bf41330d1e5bd04556db4646a0210f7409

    SHA256

    16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

    SHA512

    335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-BFF13.tmp\f261e49f87f2f676581efccdd9cd1c5b_JaffaCakes118.tmp
    Filesize

    2.4MB

    MD5

    3fddfbaa9d029821152e746edbabf7ce

    SHA1

    703690b3a2377047f6755e9b5274d608791b8062

    SHA256

    787cef456bd60075199c04ac38dd5e65291bd3a930b132538889e4dafb76fa1a

    SHA512

    fd50e763c6523022f1be02a6a690d2a2dec4e9a73c941314b4a810bbd7605d4058c5c49c53dcbdd8fde5e6c4d2c78fcec52b5bca087cbf552bc1ce90819c4903

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-HR6AP.tmp\_isetup\_iscrypt.dll
    Filesize

    2KB

    MD5

    a69559718ab506675e907fe49deb71e9

    SHA1

    bc8f404ffdb1960b50c12ff9413c893b56f2e36f

    SHA256

    2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

    SHA512

    e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

    Download Submit

  • memory/2600-53-0x0000000000400000-0x0000000000679000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/2600-8-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2600-60-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2656-51-0x00000000017A0000-0x00000000017A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2656-50-0x0000000000400000-0x0000000001465000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2656-54-0x0000000000400000-0x0000000001465000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2656-55-0x0000000060900000-0x0000000060992000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2656-58-0x0000000000400000-0x0000000001465000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2656-49-0x0000000000400000-0x0000000001465000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2656-67-0x0000000000400000-0x0000000001465000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2876-1-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

    Download

  • memory/2876-52-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

    Download