Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2bf4210c87...18.exe

windows7-x64

7

2bf4210c87...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    93s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe

  • Size

    3.7MB

  • MD5

    2bf4210c873ad7653dceda1869d5ce87

  • SHA1

    7561500f8cb88f9214c8de9d05bcdaf3f5457388

  • SHA256

    3e27d1888ca10f3de6e459f4e5a5b4773c1b8423920e5c3801a26f04af62f4c5

  • SHA512

    55bcf89618dc2b7aadfd29f77d94679c2adc8fd7ee3ca96f4f83f5f84f7f479305c763329c790710bc30ecfb4c9632c42afa35a880ba163422bc6189ad7d6a95

  • SSDEEP

    49152:aoDkYOHQCoDkYOglEDkYOMwwnMb4PmyVI/4MnYYJ2ZhqSGLHkJEMPZqhaK6zbfqa:QYOrYOglpYOXwnS4rVpIDQPxj

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • NTFS ADS 9 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Users\Admin\AppData\Local\Temp\729.#.exe
      C:\Users\Admin\AppData\Local\Temp\729.#.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • NTFS ADS
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Users\Admin\AppData\Local\Temp\856.#.exe
        C:\Users\Admin\AppData\Local\Temp\856.#.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Program Files directory
        • NTFS ADS
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2308
        • C:\Users\Admin\AppData\Local\Temp\546.#.exe
          C:\Users\Admin\AppData\Local\Temp\546.#.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • NTFS ADS
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4300
          • C:\Users\Admin\AppData\Local\Temp\477.#.exe
            C:\Users\Admin\AppData\Local\Temp\477.#.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • NTFS ADS
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:760
            • C:\Users\Admin\AppData\Local\Temp\515.#.exe
              C:\Users\Admin\AppData\Local\Temp\515.#.exe
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Program Files directory
              • NTFS ADS
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4392
              • C:\Users\Admin\AppData\Local\Temp\816.#.exe
                C:\Users\Admin\AppData\Local\Temp\816.#.exe
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in Program Files directory
                • NTFS ADS
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:820
                • C:\Users\Admin\AppData\Local\Temp\170.#.exe
                  C:\Users\Admin\AppData\Local\Temp\170.#.exe
                  8⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • NTFS ADS
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:4408
                  • C:\Users\Admin\AppData\Local\Temp\830.#.exe
                    C:\Users\Admin\AppData\Local\Temp\830.#.exe
                    9⤵
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • NTFS ADS
                    • Suspicious use of SetWindowsHookEx
                    PID:4476
                    • C:\Users\Admin\AppData\Local\Temp\742.#.exe
                      C:\Users\Admin\AppData\Local\Temp\742.#.exe
                      10⤵
                        PID:1960
                        • C:\Users\Admin\AppData\Local\Temp\788.#.exe
                          C:\Users\Admin\AppData\Local\Temp\788.#.exe
                          11⤵
                            PID:3984
                            • C:\Users\Admin\AppData\Local\Temp\967.#.exe
                              C:\Users\Admin\AppData\Local\Temp\967.#.exe
                              12⤵
                                PID:2988
                                • C:\Users\Admin\AppData\Local\Temp\695.#.exe
                                  C:\Users\Admin\AppData\Local\Temp\695.#.exe
                                  13⤵
                                    PID:4836

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe$
            Filesize

            3.8MB

            MD5

            c050247a072de68f1bc256899a180ef6

            SHA1

            6f34d1a6ee8d84177e6772b4329bd5e81a9f2341

            SHA256

            07d29f927537266381ff1310b5c984224acf3d790abc8ab8bd872f0a1e56a0c3

            SHA512

            8d73db9b566e082aa5828c95760263e775b4aadca44f9c60f556c6f9d4918f3ad0b1d097230e490a0145ffd382aa4c637092da3b92229ea5059e8603a6509855

            Download Submit

          • C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe$
            Filesize

            3.7MB

            MD5

            1ba0544526cbd31fd5f347b60bf72697

            SHA1

            3b70979fb02c42528825da3d77e2f6fbe0b5ed41

            SHA256

            94393047bca870dbbea7a45253056ae51d5a8ab4aa7be2a90639afd664fc9fcd

            SHA512

            0ab9ff4038a5bcd5a119067321177db5cc8c7642fe18dc3685d839043a409e9dc58e78f94851940a47ae495af571193ecc9c5762b561f27b20516d4fd98216e8

            Download Submit

          • C:\Program Files\Java\jre-1.8\bin\java-rmi.exe
            Filesize

            3.7MB

            MD5

            3c6b5b36053b0cd463325b5a8d4137c8

            SHA1

            fb02ab4644b55c33e5e2399da1d82a3fe5b86a30

            SHA256

            08e3cb099e1a36b92b2d6f27f3df01d218f4de9411d931739d4f114e18546c23

            SHA512

            d28009a6918a2c751bb007d4001724344a559a365d16bfc28aa586690c0a1c4f9b6cbb25d89792bbf1234c26b87a4ea7d37471dd95d2f2fc7955547dd3dffe2a

            Download Submit

          • C:\Program Files\Java\jre-1.8\bin\java-rmi.exe
            Filesize

            3.8MB

            MD5

            dde3cf5bd728bbff226affd29c0ed7f6

            SHA1

            164eb2a28aa1b262c94f0872a3267b2ed65f6ea5

            SHA256

            f8c14fa858385840195c2b709e2f900dc69fdce81240d42b644f14d0acabad92

            SHA512

            b05a607886673f1ca268365c51040abcc2a86821f0cc46ad8f82a944a14eb7273a938bf4e6caa37081bd27b053e88b147ef16dc1096a70b6a08ad588fe9ac124

            Download Submit

          • C:\Program Files\Java\jre-1.8\bin\rmid.exe$
            Filesize

            3.7MB

            MD5

            de1983128c1c1205f1014b5939debf17

            SHA1

            192d301415161995457e60436c24effb3729e469

            SHA256

            9c6163448db1ebdd47ffe08ae244c938e9ed2a40fc168de17bd8455f0b205407

            SHA512

            5a2bb22d773d9ec39a00e2e54bf6283c934265a63b8c7398b3b0a1b489530c43222c40784a57afc4e98bf7fe5101958f19a3c5ee878116fb70565db53e79dc99

            Download Submit

          • C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe$
            Filesize

            4.2MB

            MD5

            a348c71338cd6a3beaf947a02a71e597

            SHA1

            603e6e4a3fe57d1a01488d8f943397b83e4e0780

            SHA256

            678d652b267ee33dbd170ee8914fb82ab60642024f94789dee961edc078e891b

            SHA512

            e7e26156686751d03067e54543b19e770c08e9a7e2a6bdea156102c6e4eb5092725e6636dbaa09a5fe14e86bf8569f9ffcd0e57c8da22fac65b6a639cd903367

            Download Submit

          • C:\Program Files\Microsoft Office\root\Office16\misc.exe$
            Filesize

            4.1MB

            MD5

            ed0a48d26c5e7c5446dd5dd6a06d6b4d

            SHA1

            962caddee3b0e1d033b84f844a01e8f6d35f14b3

            SHA256

            1762c193f96845ad9893e789c275d21fa8827134a18ea9efbdefbde77f3b6f59

            SHA512

            465f5c9993cf7a7724968e6f6776aa1dbb68181be56ca5c8f9d4656b26ae7fce804ce977db2b0944dd901bd8bb8dd89656b65ee06f01d8ca2011ece0f2d8f8e9

            Download Submit

          • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe$
            Filesize

            3.7MB

            MD5

            6770255c534c505cc846cf457392fdce

            SHA1

            45d23fb477996a1ca09fe3ab1b24918618d29e6a

            SHA256

            430b395bf84264d5c825118173bae7ca535dd95d824f677ef9d8bb9cb8cb24d3

            SHA512

            bf984c6a2b358a920a075a58eecd4f23f9e0cd61d976194a6877572aa89fc4b1cb70cfbfafa37ca43baf5ce2c79b74359f56733bb5151749bf5629fbc4603144

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\729.#.exe
            Filesize

            3.7MB

            MD5

            2bf4210c873ad7653dceda1869d5ce87

            SHA1

            7561500f8cb88f9214c8de9d05bcdaf3f5457388

            SHA256

            3e27d1888ca10f3de6e459f4e5a5b4773c1b8423920e5c3801a26f04af62f4c5

            SHA512

            55bcf89618dc2b7aadfd29f77d94679c2adc8fd7ee3ca96f4f83f5f84f7f479305c763329c790710bc30ecfb4c9632c42afa35a880ba163422bc6189ad7d6a95

            Download Submit