Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

378a921c32...18.exe

windows7-x64

7

378a921c32...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11/07/2024, 03:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe

  • Size

    800KB

  • MD5

    378a921c32c570e516c975b6ca83abb7

  • SHA1

    4bb25e842d75e7b741e76d72e4f72506086f2dea

  • SHA256

    b8358871d091af47cc36625ab518366999d09202375c74265eb0894892c439b1

  • SHA512

    3b05794b4e3a5eab85f9f9633c39ad02a66edc94ec4ca4670c364a36e1d2ae6ce55fa6edc356c271d4a9d8dd7779b13b2067a25f261ad5b94b7ac1d4e9b53506

  • SSDEEP

    12288:4mRyTSktU4g/n/t0EW5A0zyYvJwQ5oAlK+GE4vebIk6bQQ52LgRg08y5Hpnrzzz:4SStU4gf2EW5A2DJr/kS4vGIk6v3Hff

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Windows\RunMgr.EXE
      "C:\Windows\RunMgr.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Windows\uninstal.bat
        3⤵
          PID:2652
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c del %SystemRoot%\Debug.exe
        2⤵
          PID:2460
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\378A92~1.EXE > nul
          2⤵
            PID:2756
        • C:\Windows\Hacker.com.cn.exe
          C:\Windows\Hacker.com.cn.exe
          1⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1240
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            2⤵
              PID:2868

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\RunMgr.EXE
            Filesize

            743KB

            MD5

            eec0bbd268f539876ef3fca7ce446e70

            SHA1

            07b4d5119309518584f9c919c840aed551c5986b

            SHA256

            f761f6990cf9a25b48b17fe198ce8768695eb6f278c24c3e218d43bf5f1a6690

            SHA512

            f57de6d4df885ae2a607675a3a0368a14deaceacf6c961057e78691eba2a7f5b6e16836f7087c7f6878a6132a0e02a279d32a916ddb33e4dbcc5014fa2f88d8f

            Download Submit

          • C:\Windows\uninstal.bat
            Filesize

            92B

            MD5

            cb9f71ed6347920d9d54de433ac8b51f

            SHA1

            1900d39d3bfee682acce91d71efd8fc1ef22f48c

            SHA256

            b946663364cb8068df25d6b8c349208f534817503d4d68d5faabc5896e1a4970

            SHA512

            6ceb649d961039f5b426dc92059837f6c76c1b98f9ceb4ae751e1746ba97ffd27b31bdf073a3494e50d7fc3c12e241e531bf848eaee1c497eea20570a532d9cf

            Download Submit

          • memory/1240-13-0x0000000000240000-0x0000000000241000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-24-0x0000000000400000-0x00000000004C2000-memory.dmp

            Filesize

            776KB

            Download

          • memory/1240-26-0x0000000000240000-0x0000000000241000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-27-0x0000000000400000-0x00000000004C2000-memory.dmp

            Filesize

            776KB

            Download

          • memory/1240-33-0x0000000000400000-0x00000000004C2000-memory.dmp

            Filesize

            776KB

            Download

          • memory/1528-11-0x0000000000240000-0x0000000000241000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1528-22-0x0000000000400000-0x00000000004C2000-memory.dmp

            Filesize

            776KB

            Download

          • memory/2452-0-0x0000000000400000-0x00000000004C8000-memory.dmp

            Filesize

            800KB

            Download