Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

29a0799481...18.exe

windows7-x64

7

29a0799481...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    96s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/07/2024, 00:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29a079948174116c25df96b80238c07f_JaffaCakes118.exe

  • Size

    151KB

  • MD5

    29a079948174116c25df96b80238c07f

  • SHA1

    5e50326fa7e6ff9650971052adb8124eae0c621d

  • SHA256

    992ba58cf87b4b307362ff41b64fc8f99c5186079f88ee5daf5b999f693af2db

  • SHA512

    2dcdb67881f7ec9ae55631eabfc3385b3eaf9eeaf842565ce66feb56ca2bd3e125b97b74941b4d784e4a1c2216878a1b191c66fa64fd2a623c632259d973ee75

  • SSDEEP

    3072:OfPyc9y35l5cFtSkkT53t+ImJvBKiuDTcZXah0YMq5kSs:O3V9y3/ctSkkTR7mzoWXYrC

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3572
      • C:\Users\Admin\AppData\Local\Temp\29a079948174116c25df96b80238c07f_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\29a079948174116c25df96b80238c07f_JaffaCakes118.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3552
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /s C:\Windows\CEP.dll
          3⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3544
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Windows\DTF.bat" C:\Users\Admin\AppData\Local\Temp\29A079~1.EXE"
          3⤵
            PID:4344
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Windows\UQX.bat" C:\Windows\CEP.dll"
            3⤵
              PID:1952

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\CEP.dll
          Filesize

          132KB

          MD5

          a8e72bd0dc3ed31386071b9ec11c6ab7

          SHA1

          5b4e351310d2aa2b92ae15c6dce666efaac0b4a9

          SHA256

          6112c4f46405cd336e93b148e33dfbda6eb0d9f3c32a63c8f727a6b48e2332c1

          SHA512

          9f2ffcce239cee78694ef6a4f774fcdecb038ac87dad54ca3a7eb31dc062a988498201ec3aac0e5cb159324962750e67c0296ec10a35a84923e2130aee22e1f5

          Download Submit

        • C:\Windows\DTF.bat
          Filesize

          53B

          MD5

          bd8acf285d4f871236e232fccfb16d38

          SHA1

          271c40bdb1a4e92278756911016a0ad7b17b6914

          SHA256

          b7b5ba6b72dc5e61ce416bd8a78ec3965bbcee380ac6e05ae95eca15ce2dafd7

          SHA512

          349c7c0dbf2ddb920a6cf4ee510ffb05a382a10d5dfbd47a0aade44e2c8f30e94ebc11b06e6b56c08b661448087e2d4b4e699b7ce922a8344181f11d4cfe5fc1

          Download Submit

        • memory/3552-7-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download