Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

253db1fbd3...18.exe

windows7-x64

7

253db1fbd3...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    04/07/2024, 08:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    253db1fbd397b5b1dac7cf07863fd70d_JaffaCakes118.exe

  • Size

    299KB

  • MD5

    253db1fbd397b5b1dac7cf07863fd70d

  • SHA1

    64094c2f2340d63f6d4bc3f25f61e5f865282f76

  • SHA256

    c00ff70192ba719256d19e2f4da895fe3ec2cc2bbb79d7e0aa9c37b85e399983

  • SHA512

    0b8c366a77a40b5c32f22fac79539558e10334e676a070f41935be51d63cc83059100e94cd7eb687d3a8b87a8353f3fe7062a11ec0554755edb324a4df51eea2

  • SSDEEP

    6144:tcWMJJhqryYP/AarB8JZqWLXPIbgVLA3B1YajIuwkFzcz7CfcREdmOfOJN:tczJJhqrVPYhqWbYJnYajIEgzumEQOCN

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\253db1fbd397b5b1dac7cf07863fd70d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\253db1fbd397b5b1dac7cf07863fd70d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Program Files (x86)\autofx\autofx.exe
      "C:\Program Files (x86)\autofx\autofx.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Program Files\autofx\fxinst.exe
        "C:\Program Files\autofx\fxinst.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        PID:2344
      • C:\Program Files\autofx\Microsys.dll
        "C:\Program Files\autofx\Microsys.dll"
        3⤵
        • Executes dropped EXE
        PID:2172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Program Files (x86)\autofx\autofx.exe
    Filesize

    585KB

    MD5

    709fd67f58721e614c3404ce71650c75

    SHA1

    934d7098c9d4328cd2eb9b5a3d418692a96e9e7a

    SHA256

    4afa33bc8e7d8de4d756a130e11fb750236c117b0b75a404c808a3567de4c64e

    SHA512

    39f64fcf61f02d5f27b4d667e4c486c52742e6c7b6c86c01df5c00f800646f89a2378ae3b892baead470499fb8ea071c6567906ece7de59f979d528fed7b3497

    Download Submit

  • \Program Files\autofx\Microsys.dll
    Filesize

    27KB

    MD5

    c8960a44334e5890771bb70ea2c6ecbe

    SHA1

    fdbffbd5e0387be19ac5cf4ef346adb6bbefe9e6

    SHA256

    80aac9bfd563788e1907c554a77b89f7bd17bc3efd97dd68e979f718b2679b2f

    SHA512

    c5e41068806ec118f519021e7a0a402e73b682d6b0f949a76babbe976b62bd6372812e4af823280f99005a474d85f57e8fc11dab375b0d84d9454af57ad6f52b

    Download Submit

  • \Program Files\autofx\fxinst.exe
    Filesize

    81KB

    MD5

    a23dcaf89be940cba641b1c7950db760

    SHA1

    8cf755fb813dc8f92fe79a40b195fe01047ddb2a

    SHA256

    405b2a514a10bfaab952c2aaaa9d852aae99683d88048d9ec0c211cf5f37ec90

    SHA512

    b3b15f1732883f5aafc9dd86cc57c9648cb947538a721a3395952c3a632e0475976797c200bc5ba0aac78229f35025b64291c7c8a74da4721dbff34ba4ced6bc

    Download Submit

  • memory/1940-21-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1940-43-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2172-37-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2344-22-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download