Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2e56654110...18.exe

windows7-x64

10

2e56654110...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/07/2024, 00:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e56654110e1df210d9bb69fb4475b18_JaffaCakes118.exe

  • Size

    2.9MB

  • MD5

    2e56654110e1df210d9bb69fb4475b18

  • SHA1

    19b988eed3cbe633b928a4c9e6f4920c2fd25659

  • SHA256

    75538a4da96a8a546527058bb11d0a4cde795cb83867c38e0c2098e24e3c266a

  • SHA512

    891fd50d9a8450ff4ad669ed4d4c7a6009e6975d5238f21e4d55bf93868d12887f538e7d96b725f783ef7f6b0571972ba3286ec1f46efb7d144f892caf634b3f

  • SSDEEP

    49152:XabTZNbRWkjObbdr/XL+O/FvltSispKnFDqL+MCKUlGTxJQ:XaBqvbbVaONvlGpE0iMCKU

Score
10/10
evasionexecutionpersistence

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e56654110e1df210d9bb69fb4475b18_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2e56654110e1df210d9bb69fb4475b18_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:924
    • C:\Windows\SysWOW64\net.exe
      net start GbpSv
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 start GbpSv
        3⤵
          PID:3564
      • C:\Windows\SysWOW64\net.exe
        net stop GbpSv
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4924
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop GbpSv
          3⤵
            PID:2116
        • C:\Windows\SysWOW64\sc.exe
          sc stop GbpSv
          2⤵
          • Launches sc.exe
          PID:4920
        • C:\Windows\SysWOW64\sc.exe
          sc config GbpSv start= disabled
          2⤵
          • Launches sc.exe
          PID:3352
        • C:\Windows\SysWOW64\net.exe
          net start GbpSv
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3496
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start GbpSv
            3⤵
              PID:5060
          • C:\Windows\SysWOW64\net.exe
            net stop GbpSv
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3792
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop GbpSv
              3⤵
                PID:3136
            • C:\Windows\SysWOW64\sc.exe
              sc stop GbpSv
              2⤵
              • Launches sc.exe
              PID:3836
            • C:\Windows\SysWOW64\sc.exe
              sc config GbpSv start= disabled
              2⤵
              • Launches sc.exe
              PID:2388
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn startt /tr c:\start.bat /sc onstart /ru system
              2⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1368

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/924-0-0x0000000000400000-0x0000000000B7E322-memory.dmp

            Filesize

            7.5MB

            Download

          • memory/924-1-0x0000000000400000-0x0000000000B7E322-memory.dmp

            Filesize

            7.5MB

            Download

          • memory/924-2-0x0000000000401000-0x0000000000893000-memory.dmp

            Filesize

            4.6MB

            Download

          • memory/924-3-0x0000000000400000-0x0000000000B7E322-memory.dmp

            Filesize

            7.5MB

            Download

          • memory/924-9-0x0000000000400000-0x0000000000B7E322-memory.dmp

            Filesize

            7.5MB

            Download

          • memory/924-11-0x0000000000401000-0x0000000000893000-memory.dmp

            Filesize

            4.6MB

            Download

          • memory/924-12-0x0000000000400000-0x0000000000B7E322-memory.dmp

            Filesize

            7.5MB

            Download