Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2e03d162d4...18.exe

windows7-x64

10

2e03d162d4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/07/2024, 22:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e03d162d49126b0b0cc6af5bf308c85_JaffaCakes118.exe

  • Size

    160KB

  • MD5

    2e03d162d49126b0b0cc6af5bf308c85

  • SHA1

    86c3087e7cfc063985bd59de8ce9a77439ceb944

  • SHA256

    d613dd30029dce010ae78cc0031e06cf3a135211e451f1c17cec2fb5ae47b4ae

  • SHA512

    0bc4f65ad39dd5060eba4f5ee2576c2d0f927c94d2f062b613ff99271aa059268ca45135a6194ec016cdf9693ac18d4d3f3f102c29152ccf92f6aab85533db9b

  • SSDEEP

    3072:JJUUW8F6kkVdMnhB6/a2efD3qFZreqTC9QS0w351EEWr4jovWkZ:Ax6i/be+F1Kp1EFGxkZ

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e03d162d49126b0b0cc6af5bf308c85_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2e03d162d49126b0b0cc6af5bf308c85_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      PID:3028
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 736
        3⤵
        • Program crash
        PID:1344
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3028 -ip 3028
    1⤵
      PID:3568

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\tazebama.dl_
      Filesize

      151KB

      MD5

      8960b7b1a3ae1828bf926b8661f59e39

      SHA1

      4f984da264ada230e319b938fd411ece1fd5cd4c

      SHA256

      dc22eccf113bd383b1ac2bde5433b59d09f2eb9ac0af1a582221a8c5096bc072

      SHA512

      8e559d5a94ed940a94e8f1c5784a90e5d36d8f613f452aed496888623a6eb9c70331b51d9cf481b396ab841c2dd9dfed2862b8d0111ae23abcb713ca9bf8138d

      Download Submit

    • C:\Users\tazebama.dll
      Filesize

      32KB

      MD5

      b6a03576e595afacb37ada2f1d5a0529

      SHA1

      d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

      SHA256

      1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

      SHA512

      181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

      Download Submit

    • C:\autorun.inf
      Filesize

      126B

      MD5

      163e20cbccefcdd42f46e43a94173c46

      SHA1

      4c7b5048e8608e2a75799e00ecf1bbb4773279ae

      SHA256

      7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

      SHA512

      e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

      Download Submit

    • C:\zPharaoh.exe
      Filesize

      151KB

      MD5

      55a2d4b1a79cf0fa5c5f92db34b8667b

      SHA1

      252487489e7afaf3ff1e45e49e4c6738a1a30f03

      SHA256

      aac879ef8c0f2b28292b07c072594d0381449ce13f791765e0449d0e5c485fad

      SHA512

      b600c3e86092914de6986246a6de992e4221894b44ae95a5f3e802c03a99d6bf6cb68e807cdf500bcc38a397c71213faf7a610909a73939d68aba6165064eda7

      Download Submit

    • F:\zPharaoh.exe
      Filesize

      151KB

      MD5

      5d8dffa2d590a1b139262c1801c9d2f4

      SHA1

      02500eefbcd335777d618913ce5ce7f2c96b3e54

      SHA256

      97abc646cef942af04decab18eedbdaf6fbd9d25aec44cb978ebf503250df409

      SHA512

      27f062baf12f87073dee39a7a847a497ea6099fa028c5dc0540bb585d70972f607968855d1af348ce8bbeb8d39ac1812d27693969b59e0e2ffbaed1a1c0634ac

      Download Submit

    • memory/2404-0-0x0000000001000000-0x0000000001005000-memory.dmp

      Filesize

      20KB

      Download

    • memory/2404-9-0x0000000001000000-0x0000000001005000-memory.dmp

      Filesize

      20KB

      Download

    • memory/3028-10-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3028-39-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download