Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

3de39d3112...18.exe

windows7-x64

7

3de39d3112...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 15:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3de39d311293a9cdbef5e557b92ddf61_JaffaCakes118.exe

  • Size

    387KB

  • MD5

    3de39d311293a9cdbef5e557b92ddf61

  • SHA1

    9bc9f526f22861325ef6aa558db2ef16ef6a9cbc

  • SHA256

    70b4f96142dff1ee461be631ac40e1ded2b425dd1223d2e1d7f89f6513ca7372

  • SHA512

    e5b79492f8dacc82acdfaeb753baefb8235ec9e067a080840f92abb874608ecc6421625768588b4cfbf997e9eefb0ee5f3a429da3db7c84ccf002ecb25da3227

  • SSDEEP

    6144:I9TMlSVMM9TOEvtruUnIKvS+eWjpMSRjiQgSsDlS+jlS:IhnHhBt6UnIceEs

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 23 IoCs
  • Drops file in System32 directory 22 IoCs
  • Suspicious use of SetThreadContext 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3de39d311293a9cdbef5e557b92ddf61_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3de39d311293a9cdbef5e557b92ddf61_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:556
    • C:\Users\Admin\AppData\Local\Temp\install_flash_player.exe
      "C:\Users\Admin\AppData\Local\Temp\install_flash_player.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Users\Admin\AppData\Local\Temp\install_flash_player.exe
        C:\Users\Admin\AppData\Local\Temp\install_flash_player.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Windows\SysWOW64\wuamgard.exe
          C:\Windows\system32\wuamgard.exe 1000 "C:\Users\Admin\AppData\Local\Temp\install_flash_player.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:744
          • C:\Windows\SysWOW64\wuamgard.exe
            C:\Windows\SysWOW64\wuamgard.exe
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:3536
            • C:\Windows\SysWOW64\wuamgard.exe
              C:\Windows\system32\wuamgard.exe 1148 "C:\Windows\SysWOW64\wuamgard.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:4548
              • C:\Windows\SysWOW64\wuamgard.exe
                C:\Windows\SysWOW64\wuamgard.exe
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:2724
                • C:\Windows\SysWOW64\wuamgard.exe
                  C:\Windows\system32\wuamgard.exe 1120 "C:\Windows\SysWOW64\wuamgard.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:2552
                  • C:\Windows\SysWOW64\wuamgard.exe
                    C:\Windows\SysWOW64\wuamgard.exe
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious use of WriteProcessMemory
                    PID:3684
                    • C:\Windows\SysWOW64\wuamgard.exe
                      C:\Windows\system32\wuamgard.exe 1120 "C:\Windows\SysWOW64\wuamgard.exe"
                      10⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious use of WriteProcessMemory
                      PID:3480
                      • C:\Windows\SysWOW64\wuamgard.exe
                        C:\Windows\SysWOW64\wuamgard.exe
                        11⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Suspicious use of WriteProcessMemory
                        PID:3308
                        • C:\Windows\SysWOW64\wuamgard.exe
                          C:\Windows\system32\wuamgard.exe 1124 "C:\Windows\SysWOW64\wuamgard.exe"
                          12⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • Suspicious use of WriteProcessMemory
                          PID:3392
                          • C:\Windows\SysWOW64\wuamgard.exe
                            C:\Windows\SysWOW64\wuamgard.exe
                            13⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Suspicious use of WriteProcessMemory
                            PID:2736
                            • C:\Windows\SysWOW64\wuamgard.exe
                              C:\Windows\system32\wuamgard.exe 1120 "C:\Windows\SysWOW64\wuamgard.exe"
                              14⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • Suspicious use of WriteProcessMemory
                              PID:4332
                              • C:\Windows\SysWOW64\wuamgard.exe
                                C:\Windows\SysWOW64\wuamgard.exe
                                15⤵
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • Suspicious use of WriteProcessMemory
                                PID:4308
                                • C:\Windows\SysWOW64\wuamgard.exe
                                  C:\Windows\system32\wuamgard.exe 1120 "C:\Windows\SysWOW64\wuamgard.exe"
                                  16⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  • Suspicious use of WriteProcessMemory
                                  PID:5068
                                  • C:\Windows\SysWOW64\wuamgard.exe
                                    C:\Windows\SysWOW64\wuamgard.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    PID:2488
                                    • C:\Windows\SysWOW64\wuamgard.exe
                                      C:\Windows\system32\wuamgard.exe 1124 "C:\Windows\SysWOW64\wuamgard.exe"
                                      18⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetThreadContext
                                      PID:3756
                                      • C:\Windows\SysWOW64\wuamgard.exe
                                        C:\Windows\SysWOW64\wuamgard.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        PID:4292
                                        • C:\Windows\SysWOW64\wuamgard.exe
                                          C:\Windows\system32\wuamgard.exe 1120 "C:\Windows\SysWOW64\wuamgard.exe"
                                          20⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          PID:1936
                                          • C:\Windows\SysWOW64\wuamgard.exe
                                            C:\Windows\SysWOW64\wuamgard.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            PID:3696
                                            • C:\Windows\SysWOW64\wuamgard.exe
                                              C:\Windows\system32\wuamgard.exe 1120 "C:\Windows\SysWOW64\wuamgard.exe"
                                              22⤵
                                              • Executes dropped EXE
                                              • Suspicious use of SetThreadContext
                                              PID:5028
                                              • C:\Windows\SysWOW64\wuamgard.exe
                                                C:\Windows\SysWOW64\wuamgard.exe
                                                23⤵
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                PID:1384
    • C:\Users\Admin\AppData\Local\Temp\Beaver's E-Mail Bomber.exe
      "C:\Users\Admin\AppData\Local\Temp\Beaver's E-Mail Bomber.exe"
      2⤵
      • Executes dropped EXE
      PID:3776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Beaver's E-Mail Bomber.exe
    Filesize

    94KB

    MD5

    b03e54a8188aac4c75915ab44550c033

    SHA1

    e4362465e02be15c7d7a806205f3b12f94208eda

    SHA256

    109c443308f6732ab7debeb21052df4ac211149edc9f7c434e06c78640c2ebd5

    SHA512

    91d22bbdd9bd2a58f8169aa2b70287e5603a5fdfee78b19dbb5139b3219da9aed0b4bd1ea14cf96b89cb6560dac243fd1e71e6aefe5f13c3db1b3b6236dc8dc5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\install_flash_player.exe
    Filesize

    231KB

    MD5

    9955cb328648677787bfabf1b953f508

    SHA1

    b67d75492b84980fc3acbe651b142fb63b9a2f3b

    SHA256

    9089e1b8ed19287d3a84610760c62ad63bbf5becbf4ea3e6e70934725d00cccf

    SHA512

    8aa1087adf3953394eb57082e77e65cf425663b9df26bf612f40ea3c78dcdf6080b5608f82a11f1afeaf1fbd2f0f736b49176a33b646373efc8cc516fe39fb77

    Download Submit

  • memory/1384-109-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1488-22-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1488-23-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1488-19-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1488-40-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/2488-88-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/2724-53-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/2736-74-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/3308-67-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/3536-44-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/3684-60-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/3696-102-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/3776-26-0x000000001B8B0000-0x000000001B956000-memory.dmp

    Filesize

    664KB

    Download

  • memory/3776-51-0x00007FFC73D55000-0x00007FFC73D56000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3776-52-0x00007FFC73AA0000-0x00007FFC74441000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3776-43-0x000000001C4E0000-0x000000001C52C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3776-42-0x0000000001100000-0x0000000001108000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3776-41-0x000000001C400000-0x000000001C49C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3776-37-0x000000001BF30000-0x000000001C3FE000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/3776-33-0x00007FFC73AA0000-0x00007FFC74441000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3776-30-0x00007FFC73AA0000-0x00007FFC74441000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3776-24-0x00007FFC73D55000-0x00007FFC73D56000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4292-95-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/4308-81-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download