Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

293c234973...18.exe

windows7-x64

7

293c234973...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06/07/2024, 18:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    293c2349735db79bc4bee12fd734bf97_JaffaCakes118.exe

  • Size

    287KB

  • MD5

    293c2349735db79bc4bee12fd734bf97

  • SHA1

    7dcba977ee39c635543ac6270a0a1b80fbe67a19

  • SHA256

    b5407e3da8818734c11375264877000fd6211c4d478495a126db688263a3e73c

  • SHA512

    6be66f9692f3f11dd7e815590b22aaf4517396fc8d69c9c2cfa3d2067ea0688fcacf29d1fc7727b173f3d58ff76dd37446a9e7e377de695edfabe663c500e47d

  • SSDEEP

    6144:BMo5z4p66GQs77stVURLgt08ZB0G32xN/EMlYUvJI9:BMWz4p66y3stVGgtvZSG3S/5lNRy

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\293c2349735db79bc4bee12fd734bf97_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\293c2349735db79bc4bee12fd734bf97_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Windows\SysWOW64\MSSQL.exe
      C:\Windows\system32\MSSQL.exe
      2⤵
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:2084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\MSSQL.exe
    Filesize

    194KB

    MD5

    51f176b6a0617e60af49fd19b59664f2

    SHA1

    a3d6d37021d6493acdc2dcb16507b652836cf7f9

    SHA256

    17f6bb80b77ec28fc4ebc8d02dd7e3403323f360e9a2028da088c26c858d750e

    SHA512

    e5d546883f16cbe8e5e340dd2d60e4435781b2f1348f16a7ad6c88abb652e1c2ae3641e5564bcc11d0ae48eb129260cb50931a69ce52dfe42c26403f1b805811

    Download Submit

  • memory/2064-9-0x0000000000400000-0x000000000044D000-memory.dmp

    Filesize

    308KB

    Download

  • memory/2084-8-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-10-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2084-12-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download