Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

340d8df768...18.exe

windows7-x64

8

340d8df768...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    95s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 08:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    340d8df768269411ee6196e347585b68_JaffaCakes118.exe

  • Size

    1.9MB

  • MD5

    340d8df768269411ee6196e347585b68

  • SHA1

    c9a828abe5fbf97f3593c9797c4fb7142e4b482d

  • SHA256

    893ce8410fb15a7802523f033f4abdffd8ef35c1a2342199e6c09c54173dff9d

  • SHA512

    e03a0ba6521f2b30da8cc7c6948af23bfbfb4d532a605187d607cac6810e3c9161dd4f1a4f2d3f4b36709c8ba349831daae8cc44ae7cfc74657c18a25fbfa182

  • SSDEEP

    49152:fHqjfedt0TY2oHtMYQ0M/pBi1tR6TRJLu:Wfedt0TYH+0M/pBmkTjLu

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 6 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\340d8df768269411ee6196e347585b68_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\340d8df768269411ee6196e347585b68_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3656
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\IFViewer\1980214704\FP.msi" /Q
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4824
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F1665DA1BDA441F0BA639E23411A03F5
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:3556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57858e.rbs
    Filesize

    10KB

    MD5

    98c595758da2ba77d54aa0616278ca3d

    SHA1

    3f30ac9efcfeb5f776da3a5ec5cd5ee82551d906

    SHA256

    0035cbc819c41de882962fac97ace970f97c8baab73665f090af402e14bdbed3

    SHA512

    e4f1d5f46f8a2b78098256df7c4e0b12f0c1a7e7540039c25c1d13df5d3fa25e6661abe7e651e9f89f44740fa987f70c5c515d130d6a54a6be41eeb97b2fa5d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~884A.tmp
    Filesize

    383B

    MD5

    9b5ff186d7f86b39ebf05cfd7116d223

    SHA1

    4bf138a50256c47921620f9542ea062d0cf16e5b

    SHA256

    56a431c6a202613c6ff3b53fd4d1f82d91d4d7e91dd1fccdc8f9037a1f6ccd5c

    SHA512

    4be6950b3dd4933d7f4ee88fc5f0d727f893b2213244c5b07e15a8d3ae9f5a81de0ca7ce94150da1372dba31847520aba732ebf55e06126fe69447175a0ead75

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~884A.tmp
    Filesize

    386B

    MD5

    2357e7b2a591b85b9d1f492d39e4c894

    SHA1

    d917b0a2e35547d913b51c0ad9103b7514c02a73

    SHA256

    90a5c2612a1a3a5e35de806f56d9520c457a4605d104f596c330e143cbe8fa71

    SHA512

    5f2f2d186b8ec882b44a9e6a116e2869f99740d66dc1ec498ecb8e7cae8b5ad9a7babac416133cae61165713b5aa429b5c2490cc3f03b8c5af879b6fb81456f7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~884A.tmp
    Filesize

    397B

    MD5

    1558c7133098a2f21a33b189f8134299

    SHA1

    9340efa292ffc561036165a6d6578bdffcef11f5

    SHA256

    0d69fbb9c0d1a609986f11ab226c7f60a141db9d09d96a41542bb0bf9322eb9b

    SHA512

    7339d19f23f78371656629fef6a44c94631fda1bcc1ced07774c4e5dcf9a969311cbc4fea22a17630d6249a1fe9558370d960cba7639abbb787c4b8e03deec61

    Download Submit

  • C:\Users\Admin\AppData\Roaming\IFViewer\1980214704\FP.msi
    Filesize

    1.6MB

    MD5

    ec72ab0a198db9fa267a110095aff70a

    SHA1

    7ace4d0b2799efddea2ebeaa687feb84583711ce

    SHA256

    086075830772885fe24607bcf8ecd186a1d706f7f57436aed2175667a3cdfaf7

    SHA512

    cc4d92b629bde79686aa180323f57aab99861733b6be163b0419616b636aac8999e7ee5c14595a69daa98365848116a10d5e472e4490ff84622247ba437e0339

    Download Submit

  • C:\Windows\Installer\MSI8770.tmp
    Filesize

    80KB

    MD5

    f6a6b99623d80fc8e10d04a82f61a806

    SHA1

    fa1d7586ec148d4caf5f4258bc6a495c28b5955f

    SHA256

    adb43809b9d164a220cf80045fcbb4aabd665f83715ac05def245ede8e0f1355

    SHA512

    812bf82bb81a576c4079c27460d18b9fe02457a49715c93ede665c3070a000144585ca779df1083a8ca84ff5a42ad50f70ae9d31a058da1c05b0e1766f6555ec

    Download Submit

  • C:\Windows\Installer\MSI883D.tmp
    Filesize

    104KB

    MD5

    41c809ec8fd59ffcbfff35da8d9cf41b

    SHA1

    c6e8b1ef8fcd49ac88ce097157beaeff4d7468e2

    SHA256

    fe9b3c74f09a6c66dab66269550f277c8aa82c7e93b5e9963a116c44619d55b2

    SHA512

    e51ecdba17d0aa037ea6e229e66879e50317b677e2b4760a4dcb7883ab49598b3b166e9b26dcfab5a1904373d70af6234899092bc7a614b9fca14cfbed0ad42d

    Download Submit

  • C:\Windows\SysWOW64\Macromed\Flash\Flash8.ocx
    Filesize

    1.4MB

    MD5

    900373c059c2b51ca91bf110dbdecb33

    SHA1

    102b086d6054c2cea813ef316ce24440c458762b

    SHA256

    31453fd8f743c19e27f8fa04ee88dfebe95a7884cdfbc15ab0eb8994829aad61

    SHA512

    b17d68cd1e4f1c2fcc7f07de657af144302d4a0cb7b6a0d6bbed4fcd39227481abae73df2d59bf13a31a47b2b6aba820182881b43e638aa00da75ba6b94adbfe

    Download Submit