Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

3c772ce76f...18.exe

windows7-x64

4

3c772ce76f...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    92s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 07:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe

  • Size

    998KB

  • MD5

    3c772ce76fc4bcac93a4fd74f03e1587

  • SHA1

    b266bf7adbd60b8bb95a8fea26855c1682786164

  • SHA256

    5a207869e0f7fa20eccbc95fb3f711a8cb6a31a72e5843310a7dc831314bdc94

  • SHA512

    77c77298a668c7e8b6fb701b2a0d5f2a5a9cf3675a15feb0a46f76bcab882002bac63246b1b0e7b0f00b268bb6378885086ca73908a0e5d568ac2f66267348c3

  • SSDEEP

    24576:txj7xTcX2LSlwthsobVC/5imoDe5l6uiEkLJvurXPIt+1KNI4sQ/:reXyPthzbkomQylDMLczwt+A64sM

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4460
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c xcopy Fonts "C:\Windows\Fonts" /e /i /y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Windows\SysWOW64\xcopy.exe
        xcopy Fonts "C:\Windows\Fonts" /e /i /y
        3⤵
        • Drops file in Windows directory
        • Enumerates system info in registry
        PID:5116
    • C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe" /s Fonts.reg
      2⤵
      • Runs .reg file with regedit
      PID:3856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fonts.reg
    Filesize

    948B

    MD5

    0798c369716d601f7f61aad56708bb69

    SHA1

    fd944cf9fa5132d4216469d3487a9626b0c329f3

    SHA256

    642f6b40b3b1ecb79ab1894d3fd3bc7638a9fbec332c2bf9f4144187968b963a

    SHA512

    71db8de5e38c837d776860a4db9a75a1835d48cf0bcfb4007852623b4a6dd34bff7599086146ad7352b5610cd1e18f8b1d2c604125b90ebf304112c66b0cbcdb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fonts\Calibri.ttf
    Filesize

    238KB

    MD5

    d5630a8814488c1800727da51c00c256

    SHA1

    8c9298c19cd369087a95c27cf716d27e474f2ece

    SHA256

    6615eaeb730311e6f997e34e1e560fae6629be9f47e92929d13d96108e58fa43

    SHA512

    5f08970f024bb7a9e4500a64cb122301df1940e48b1e727be693423ca78cb116636eb374fcfce45b631cf6c24ef868633e703d3fed4d51c1092dc0363a197577

    Download Submit