Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

fbe353546e...18.exe

windows7-x64

8

fbe353546e...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/04/2024, 04:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbe353546e6e4500b13204985f674417_JaffaCakes118.exe

  • Size

    994KB

  • MD5

    fbe353546e6e4500b13204985f674417

  • SHA1

    9b18b4cef1013c4a75792f4ea8d06b7bb752c290

  • SHA256

    5da53f51769b8ec07bedd2938871448487f209c80e63a11b30db409a1829ccc1

  • SHA512

    d3db489225b6ecb39d93aeae7b40fd83d95d28d4f13c972b04d34dfa6abb05112114c90f3b9d1498388cf2bf56dd1f595a57317c4618a8076a1fe068fdb340d8

  • SSDEEP

    12288:EHj4044T3b+mO2+sPQ3GWWJoOEqxEH2w2rnF8TN4Ho2I1D/+KH6R1/VxZaZBNjyy:M809T3/ixHWG72y2rnF8TKI2kMdxELNp

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fbe353546e6e4500b13204985f674417_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_lm_delself_.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4192
      • C:\Windows\SysWOW64\PING.EXE
        C:\Windows\system32\ping.exe 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:3272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_lm_delself_.bat
    Filesize

    146B

    MD5

    f8bf2cff95a98e4c9c9c4f3b4b60f58c

    SHA1

    cd06c7b3415ca56a6e2a937555655502d2ff1308

    SHA256

    3d53cfb03d4aea581bda9c632a509039862d22ad2a9173d10ee8aea0b8b70920

    SHA512

    cdcd7d6024cd125bc9969df3d5d7992618080db2ea07d84b795c1377943d7c9776ffd9be83ac58303768514d043a0c0379730713306d27ed4524424d2d0dc0a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~tmp_hl\mslmedia.sys
    Filesize

    22KB

    MD5

    9a78e22cc4623898b5b8908c40988529

    SHA1

    6f84342817c26d97cd9eb416ebea2f83509546cd

    SHA256

    9a0e4e71448129e9f1585649ff76d317553a10723abab7216f6bea4a413db82a

    SHA512

    88c3899adaf1d7e24dce564803141a9aa05035e29e238f47722d9233e6f352d5583b8d80fba471e842145246b9940bf37b9db06436ecf1a3f164b13b62b9373b

    Download Submit

  • memory/1852-21-0x0000000000380000-0x00000000003DB000-memory.dmp

    Filesize

    364KB

    Download