Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

270a3519a8...18.exe

windows7-x64

3

270a3519a8...18.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/07/2024, 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    270a3519a8e7eb37a61138fd3cb2a552_JaffaCakes118.exe

  • Size

    119KB

  • MD5

    270a3519a8e7eb37a61138fd3cb2a552

  • SHA1

    0a92d07330d5af6c740820d7a0628ad8b3034a8b

  • SHA256

    55e757eeb966e4389ee54fa25bbf401694f6192da5b2796ff6c2d135e8957346

  • SHA512

    5830196e3a5479efcfbf6989974bbdea961a9d86a21cb4ad2c9ffb47a649d73695c3a60e7e3b72364195bfcaafe306616b447b3364ee9013ddefcec2ce7e2735

  • SSDEEP

    3072:NhyVR3H397BpjsokToH3w1VOJOAmEPgrCA7mEjzZt+V:NEnsPTooOJOLEPzAdtc

Score
9/10
persistenceransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (216) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3424
      • C:\Users\Admin\AppData\Local\Temp\270a3519a8e7eb37a61138fd3cb2a552_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\270a3519a8e7eb37a61138fd3cb2a552_JaffaCakes118.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4536
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3484
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1564
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a613A.bat
            3⤵
              PID:3176
              • C:\Users\Admin\AppData\Local\Temp\270a3519a8e7eb37a61138fd3cb2a552_JaffaCakes118.exe
                "C:\Users\Admin\AppData\Local\Temp\270a3519a8e7eb37a61138fd3cb2a552_JaffaCakes118.exe"
                4⤵
                • Executes dropped EXE
                PID:4300
            • C:\Windows\Logo1_.exe
              C:\Windows\Logo1_.exe
              3⤵
              • Drops file in Drivers directory
              • Executes dropped EXE
              • Adds Run key to start application
              • Enumerates connected drives
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2064
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4156
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4592
                • C:\Windows\SysWOW64\net.exe
                  net stop "Kingsoft AntiVirus Service"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4464
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                    5⤵
                      PID:4084

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\7-Zip\7z.exe.Exe
              Filesize

              603KB

              MD5

              e06d406678cc8d0e514cb0324f8a1d4b

              SHA1

              2111af41f93cad49281476b5341ca2828c055f7c

              SHA256

              be326523a0a393371588ca9af9f34a419f333758bb1d0d90dcfb738da96f4db0

              SHA512

              20fa6757a307ca7d92e0888dc0f1151c91a22758e9f50cd80c352e08f441a4d0160cebf1c67057bf7817a582b9f77b6704858f96e56c52f9727c4f522d14ee5b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$a613A.bat
              Filesize

              614B

              MD5

              68f56109038769634bbb5e0436824738

              SHA1

              9a964f186be18c5afa46d4ea52fc77d93dcd668b

              SHA256

              307a94103cb4c3a50e55aed5747fe3e4fa2a9157fba375f2a39ceafa415823b4

              SHA512

              28589767c83993a123d43c6179d3c647de3d96995ef49f71f48fcdbe964b735f0911fd9ceaf7a0e446220675c907fa92ba53b4bad8bcb4851ebbb3ea3ab41cbb

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\270a3519a8e7eb37a61138fd3cb2a552_JaffaCakes118.exe.exe
              Filesize

              60KB

              MD5

              70097e33cd20e2f09bb60635233eeba6

              SHA1

              fa4657369b36eb8e97237485688f729edba8d156

              SHA256

              71497654e4c373766fba52e1aa4f087a4bcf0c6ca02c67273cc12459a238248c

              SHA512

              92000141d26ead9a011b4c7a702c7c44c4a6705e4f38ae60068bdb9ea03e966a7ff22bce4e9df73eb2b2e0111d84c5c3e39d68a78e3d39735093170ea0a745f2

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              59KB

              MD5

              ae94cf26d3cf1ddfec5acd7270045e54

              SHA1

              575f7b9eedba31fc3dacca8444ae091d369c968e

              SHA256

              5ae541ab2e90eef03ecc84522a6af155985ecb961382e1b81f6238f22ec4472b

              SHA512

              f69ee24775e8e048b80705c7432c11e6f1a6041bad4747a033e48fce3472d8c72d3b0b049316eaba4a8cf14ec840e8e1a65fddcd4f038347996262e48ccc5c27

              Download Submit

            • C:\Windows\system32\drivers\etc\hosts
              Filesize

              842B

              MD5

              6f4adf207ef402d9ef40c6aa52ffd245

              SHA1

              4b05b495619c643f02e278dede8f5b1392555a57

              SHA256

              d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

              SHA512

              a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

              Download Submit

            • memory/2064-13-0x0000000000440000-0x0000000000480000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2064-12-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/2064-21-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/2064-22-0x0000000000440000-0x0000000000480000-memory.dmp

              Filesize

              256KB

              Download

            • memory/4536-0-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/4536-1-0x0000000000550000-0x0000000000570000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4536-11-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

              Download