Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

37a9b5fd14...18.exe

windows7-x64

10

37a9b5fd14...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    140s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/07/2024, 04:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37a9b5fd14527a3196808a24e8a2fdf2_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    37a9b5fd14527a3196808a24e8a2fdf2

  • SHA1

    3ba472394a4e4e28e4315eb9872f818719f5a2ce

  • SHA256

    1e1d0f9ff69ba216664d92dc14ca9268ec63c35ade4727b2769448f21a7586fa

  • SHA512

    250bcd888edd769ad71bb02682456a2f3547fde417f093aaade50cc430c2a0a053d95732defa9ec7bb8f8c16ad45a2355aaf51df1ac1969172a6c2291a99bf80

  • SSDEEP

    24576:GHt2e7h2mZN11vQ0bzmPhRgtN0zrzTUEURrVuH8NjWu/tGTfY2Q6w+Pq:qt242mPvQNplPPKRJuclWu/6A9S

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37a9b5fd14527a3196808a24e8a2fdf2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\37a9b5fd14527a3196808a24e8a2fdf2_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:832
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im teatimer.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4348
    • C:\Windows\SysWOW64\drivers\svchost.exe
      C:\Windows\system32\drivers\svchost.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4644
    • C:\Windows\SysWOW64\drivers\full_yahoomonitor.exe
      C:\Windows\system32\drivers\full_yahoomonitor.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Users\Admin\AppData\Local\Temp\is-4R8VJ.tmp\is-37U07.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-4R8VJ.tmp\is-37U07.tmp" /SL4 $20268 "C:\Windows\SysWOW64\drivers\full_yahoomonitor.exe" 1089166 52736
        3⤵
        • Executes dropped EXE
        PID:3960
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im teatimer.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-4R8VJ.tmp\is-37U07.tmp
    Filesize

    657KB

    MD5

    3dafb498bb15d5260cb2c12b391a0d48

    SHA1

    c775ae9fdf18ab0ce38a8adffabe378f461e79a1

    SHA256

    c5d5f5f814c5bc4989d691442051e5e78cf1971eb9b773a7a26b438e58a73d7a

    SHA512

    a42f39a73bd4615490c6e33c017fa09f9992e3327d244b050b6634ad696d421170fd63ec5d5e66e92d112dc804eabd0bcd56494c9499d78fad8b46fe2ef32a31

    Download Submit

  • C:\Windows\SysWOW64\MSINET.OCX
    Filesize

    112KB

    MD5

    7bec181a21753498b6bd001c42a42722

    SHA1

    3249f233657dc66632c0539c47895bfcee5770cc

    SHA256

    73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

    SHA512

    d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

    Download Submit

  • C:\Windows\SysWOW64\drivers\full_yahoomonitor.exe
    Filesize

    1.3MB

    MD5

    eff9cab8eb7db3515d2796acb306e40b

    SHA1

    6f659a971839c31a9a52e07c8f55d374654984c4

    SHA256

    d26112695ce353142054fa6ba27f4272b5ccd82387d4c2beb72598e64f7a3863

    SHA512

    a0123ea77ea92f4f1541db0ebbd4df73fe289b47c2e5f86e5e71ceaf49ddd5066e3df33a0a2980a1938c2124da3d5dfea56ec0e57862c8e20ad4a7ed9cfc7ae2

    Download Submit

  • C:\Windows\SysWOW64\drivers\svchost.exe
    Filesize

    104KB

    MD5

    608f573df32693a6e4bf8a9a55d9ab17

    SHA1

    d86617363bfb817030610de98504e9c02961c975

    SHA256

    0fb60eac264359ac248e0c9633bb2d199912375e620b17e977969ec1b2de728b

    SHA512

    e2d70cac13c3c041a94e983081aa28ad06427abbbdc0e7b6477e08215ddf424d759891818adaed0210f8a666664d5efa5914560a53b5f9318a8c302b69e8d2b2

    Download Submit

  • memory/1284-16-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1284-44-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3960-45-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

    Download