Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

fbc04b72d2...18.exe

windows7-x64

10

fbc04b72d2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    20/04/2024, 02:42 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbc04b72d274ae7cfd3cd69aadf389cf_JaffaCakes118.exe

  • Size

    196KB

  • MD5

    fbc04b72d274ae7cfd3cd69aadf389cf

  • SHA1

    38f3109a6e1cb16e17b803a729a0d8f5e3e85ca3

  • SHA256

    e3cbf30449ff668ab7c9cbef820512132d25c44d8924108fae8c6b1cedc28349

  • SHA512

    c69a397d554c7f3f59070bf7c4379f75f8ca0d56c3a23d7bcd71b56e46f7ce59c28b76a55f0703c418f2a71c688032b8f8c58af5448af640dbe4167a334216d7

  • SSDEEP

    6144:/WvnELXCb1CcReqYJqOaihDI/5Yz43qA0gA3Zgfx9c1dLJYkAeRBVF48tju1f8Lr:/knEuGhI/5Yz43qA0gA3Zgfx9c1dLJYU

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbc04b72d274ae7cfd3cd69aadf389cf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fbc04b72d274ae7cfd3cd69aadf389cf_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\meedea.exe
      "C:\Users\Admin\meedea.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1300

Network

  • flag-us
    DNS
    ns1.player1532.com
    fbc04b72d274ae7cfd3cd69aadf389cf_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.player1532.com
    IN A
    Response
    ns1.player1532.com
    IN A
    107.178.223.183
    ns1.player1532.com
    IN A
    104.155.138.21
  • flag-us
    DNS
    ns1.player1532.com
    fbc04b72d274ae7cfd3cd69aadf389cf_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.player1532.com
    IN A
  • 107.178.223.183:8000
    ns1.player1532.com
    fbc04b72d274ae7cfd3cd69aadf389cf_JaffaCakes118.exe
    152 B
     3
  • 8.8.8.8:53
    ns1.player1532.com
    dns
    fbc04b72d274ae7cfd3cd69aadf389cf_JaffaCakes118.exe
    128 B
     96 B
     2
    1

    DNS Request

    ns1.player1532.com

    DNS Request

    ns1.player1532.com

    DNS Response

    107.178.223.183
    104.155.138.21

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\meedea.exe
    Filesize

    196KB

    MD5

    c989e4fbe437c07b84e69bd557acce03

    SHA1

    97a414a13d0835fdbf8197c0ad13f260385339f8

    SHA256

    ed8d7ec177f5da9c2f737e1f0513041ae77bdfa81c27845b4c80eafe45ba00ae

    SHA512

    373b06f54de0a9f1626e56bfb0f605f2d22558fe716b9dc364b823474370543b08abb20ded552dcf16520595f36568c09fa79f6ce0a5f03f71acf7c11b2fb4bc

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.