Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

16c1f3a171...18.exe

windows7-x64

10

16c1f3a171...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    27/06/2024, 16:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe

  • Size

    13KB

  • MD5

    16c1f3a171bca17a2afb429a451afb1d

  • SHA1

    b93d6bd21483baba6ba0f121bb31f3c1a460f24a

  • SHA256

    3258001bd74ab68825ac5c7d6ceeadb6fc4a1737704fa28227a0b0a250270d93

  • SHA512

    f487ea923f195ecfb06b60f0e000f1f7dab5c4db9c47cd9a6cf833814695a1fbaffb3cabb7798e52413be9366e384579e3934e47ad353a3490e8512c42037a77

  • SSDEEP

    192:nmOr1W7LByeduaOkAG6+mkAuLe/LJwlfeTSBaXZQmV/le8ZSwMFd3oCd7a7vtyB8:nma1F4t6Vpu+yMpV/lLSwsGg7EqXX4CG

Score
10/10
persistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\D652.tmp.bat
      2⤵
      • Deletes itself
      PID:2716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\D652.tmp.bat
    Filesize

    207B

    MD5

    c89ba20bdc8ee59ba9ab41c16b9ca773

    SHA1

    7982179d2e58acffc4f1fe4dc2b42b32db68dc23

    SHA256

    0cabb62f4855fb969f9afc4fa24dff045fa2311ffa516a76042f19b7811faab5

    SHA512

    aa645188d92026c4deb086651177dfde2f7e5ec9ebeff838cd313a700242a49f7615356d048f37c65eb84ebbb4322ff71138204151b1a10d348b19b197a49d27

    Download Submit

  • C:\Windows\SysWOW64\dispexcb.nls
    Filesize

    428B

    MD5

    258053b380bc93b614c32a18b8b726ea

    SHA1

    0f04967ba3a6226368623155838d51711e3e0a8c

    SHA256

    2ab1145482d8d09e90d8d0e2b5f4ff2532eb89ba7f71587ee15a9dd7138e18ef

    SHA512

    71146acb2f4ad59df738d49749908af7f87a28c3aa970f61f48786bbabafae4b9f3c8e85ec9d51e517aa2dca1bc276db66d49b90823690f67a19164b23f8f2eb

    Download Submit

  • C:\Windows\SysWOW64\dispexcb.tmp
    Filesize

    1.0MB

    MD5

    c0383b7ef55b3a074ecadd1abb5807e1

    SHA1

    aeb7ff60e4115e69ee52e600cf323232faeeb569

    SHA256

    4fd2eb7b2dcdc16a19dfab4c50fcb4fe91f6f3b9f074d4e7d70545248a8aa259

    SHA512

    a6b640195931dcfb7864f45876343fbdc1567a9b8ab84f69ed584a7e74b5cf7ebc010e9c4ae641e73f32e787bde4c11574504a1718678b7b7cee439aeaf69fbd

    Download Submit

  • memory/1696-16-0x0000000020000000-0x000000002006C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/1696-25-0x0000000020000000-0x000000002006C000-memory.dmp

    Filesize

    432KB

    Download