Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

3d677c956b...18.exe

windows7-x64

7

3d677c956b...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/05/2024, 01:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe

  • Size

    2.3MB

  • MD5

    3d677c956bc9a9ede80e38134af20a5c

  • SHA1

    3cc9ba461899bb8999fb1c5d81ef2eca1fe86959

  • SHA256

    0e3418bcbeb7b18e25a5a0733cab85dbfbf9019bae3394112e41051a192f2b13

  • SHA512

    e3612be1357832eb161e385e68e244cc11d664bac880ad026271a774436a55f8d30361c7204297d3bf487a0c96b84ab239ea9f2dfe45254bf5cf8f9ee40dea08

  • SSDEEP

    49152:v3P2Qlh/HpHzjQi4lSovRkpk3Im4zMoYeOLM9LyaBr1ccP7rENxefMN:v/3lhpTgFGpMImmYK9zKAc0MN

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Users\Admin\AppData\Local\Temp\567C.tmp
      "C:\Users\Admin\AppData\Local\Temp\567C.tmp" --pingC:\Users\Admin\AppData\Local\Temp\3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe BAC36161A4282D2CC0A7BCED75C80B963028BF3ADF955E6F97E6D19B148010CDB52F68A263FDE3428D6DA1C19A499E15FFD77D7C4698B2AC21AC3A6F14C397F2
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Users\Admin\AppData\Local\Temp\3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe
    Filesize

    1.1MB

    MD5

    cd75d3e263ff0d1d13aad24cdb9f2593

    SHA1

    cbcf46c2524176ce03cbfdb69017788282e495a5

    SHA256

    ccac4ef83f1484c207be895e40037f23138d911c1ec537ffd6577ef789c974c4

    SHA512

    16c489e2a2337bb7d23b5d6507d769a62d2c4ffd6b30c237752ab38c935eb92dcf74c75b972279f95617d82de69f25c53db819ddc1e543e35d89ad0956c3df87

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\567C.tmp
    Filesize

    2.3MB

    MD5

    332e543570dd03d9050a391615c88973

    SHA1

    23dbc4cf558b55d3d40f25c816a1ce45c467b976

    SHA256

    5bdb13cdfeb3fa243c12f6242583c0da46ea6112ca84e6d6c25cdb42804b6c52

    SHA512

    55875046e363545bc524f8d9fe32ec7d22d7ec83a8979242dcfbb5da12089454fd72b45ce4d43144e324b28fb64e804bfa73549c3486ec57d1bf7d5129e72216

    Download Submit

  • memory/4536-15-0x00000000003A0000-0x00000000007B3000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/4536-16-0x00000000013A0000-0x00000000013A3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4536-65-0x00000000003A0000-0x00000000007B3000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/4536-67-0x00000000013A0000-0x00000000013A3000-memory.dmp

    Filesize

    12KB

    Download