Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

f3d1bb1b55...18.exe

windows7-x64

7

f3d1bb1b55...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    91s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/04/2024, 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3d1bb1b55971c3647bc279bd561161a_JaffaCakes118.exe

  • Size

    34KB

  • MD5

    f3d1bb1b55971c3647bc279bd561161a

  • SHA1

    ed0d7508c88bd25d14fea9fa218b5d765d89891f

  • SHA256

    e3a4bd2bec9ab0ac245996a22783c32f921e9688b5f216d6996188d9103c0fd4

  • SHA512

    b520dd6b892705fee49b4304c19b0d87e1434d614953f74cc4b92ca8fd27d4dedb7985b8362c8823b7f375f545358f6df15b04188fb58b560c18cf64c9ec61dd

  • SSDEEP

    768:WdjrSskr3yKptT12XgeVtvEKJiGbKCp/5IHnELNl1j3DojRHcZW:CfSsc3yKp2XgeHEWiW//GHnMl5DojRx

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3d1bb1b55971c3647bc279bd561161a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f3d1bb1b55971c3647bc279bd561161a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:732
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start iexplore -embedding
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:948
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4760
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gos6699.bat"
      2⤵
        PID:4196
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f3d1bb1b55971c3647bc279bd561161a_JaffaCakes118.bat"
        2⤵
          PID:2788

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UM8YFV59\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\f3d1bb1b55971c3647bc279bd561161a_JaffaCakes118.bat
        Filesize

        307B

        MD5

        0fd4d534966c67300e09973b1bb6d52d

        SHA1

        3ef46ed3d77d748931e7ba89dfa99d4f21a957ea

        SHA256

        47627d7af0a1ee8cc137dbe1212fe1cc15258ac761c16530adc9e92b953631b7

        SHA512

        493ead11627bf5a7e81ebc62436427e5fcfb2b1ab0efc7a5e7b34a26902093a99ad5d4ba017130614ff6f40b3755a7b739aa376b97242c7bed455840124b3f03

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\gos6699.bat
        Filesize

        190B

        MD5

        7d9dbee7ea418a95db407eb148ffffd0

        SHA1

        9eb510aff6dcd0a5c92303a734469f9ad4633f5b

        SHA256

        8f96d74778029e9ce95d634b99f001d142d70200fd5227ff4908f4c2658e5db0

        SHA512

        c203abae8604e1768e05ae11de7382d39f60ae0bd6b3de1de7cd741be56a78b061794696fbb4c304103479c8ea7cd5d79c7054258f75637ce95aa5f9b59183ee

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\gos6699.tmp
        Filesize

        24KB

        MD5

        5ecce9af16e14becfeb560dd03644b75

        SHA1

        71226ccdc066672c643a255ab45b52f5661a1dd7

        SHA256

        5b5ae28ae7623e3a1800f3488354b706d16981b8f772ccec4b92fa4edfe4e748

        SHA512

        c6e8d93b6060b5d9e0ba1842e937c8ac61d5f5390cf87db464ca3602106d590789c1fa1170cafc67d4a1451dcee4808271a2006bc412af6d3fd6609c5d4b1fbe

        Download Submit

      • memory/732-0-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/732-1-0x00000000001C0000-0x00000000001C5000-memory.dmp

        Filesize

        20KB

        Download

      • memory/732-7-0x0000000010000000-0x0000000010012000-memory.dmp

        Filesize

        72KB

        Download

      • memory/732-8-0x00000000024C0000-0x00000000024C5000-memory.dmp

        Filesize

        20KB

        Download

      • memory/732-17-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/732-18-0x0000000010000000-0x0000000010012000-memory.dmp

        Filesize

        72KB

        Download

      • memory/732-19-0x00000000001C0000-0x00000000001C5000-memory.dmp

        Filesize

        20KB

        Download