Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

3e1798ea54...18.exe

windows7-x64

10

3e1798ea54...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 16:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e1798ea5420466c1667188e41e171cb_JaffaCakes118.exe

  • Size

    836KB

  • MD5

    3e1798ea5420466c1667188e41e171cb

  • SHA1

    8f2003047624655cc5658c9019226c04e7cf7b24

  • SHA256

    2cfd2f69f21e92ff67d83babb0c5735bf99cc62961ddfa193f7385467c31c135

  • SHA512

    94b8da7be35354e05781cabba1f6503237bf7724a031746f1f15f6d7329e139c1037231f45516f58e784e51a8c50f632b0bf16e9254a0bafbba88d0786bdf468

  • SSDEEP

    12288:9ohV56tb4hr+fbtM0E92BD6KqnU7UIXTgdBzAXxto/lJ/zD:9ohV56d41p6BD1qnUQito/D

Score
10/10
evasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 3 IoCs
    evasiontrojan
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e1798ea5420466c1667188e41e171cb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3e1798ea5420466c1667188e41e171cb_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4108
      • C:\Users\Admin\AppData\Local\Temp\uploadflashplayer.exe
        "C:\Users\Admin\AppData\Local\Temp\uploadflashplayer.exe"
        3⤵
        • UAC bypass
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3032
        • C:\Users\Admin\AppData\Local\Temp\uploadflashplayer.exe
          C:\Users\Admin\AppData\Local\Temp\uploadflashplayer.exe
          4⤵
          • UAC bypass
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:1904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
    Filesize

    620KB

    MD5

    29ebc64eb6ced58520999c37752e217c

    SHA1

    e3024f1beb2464e979bf534c086c6dc52a802c41

    SHA256

    53c9ad62d0e7014e6405c827964e06fed8671348b13244b4173fa455bf4b6337

    SHA512

    0d89bcd2628e89f06bc91a2bce2edd2556393690c318cef937082526a86b6b6c0781dbd1c9ce67fe8650974e0caec372878428e8dcf562cb483e9980697e7c82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\uploadflashplayer.exe
    Filesize

    620KB

    MD5

    6e8a660284e87843585f009b8a906649

    SHA1

    851ff02388ed77e5a7b6e040d788f0787f124101

    SHA256

    619a516bf0ab708f0816b4b817a8e209ce8632efbd03dca0f7e1c786f78fca13

    SHA512

    dc17d0d0df9ac301d0f8fcbe31eeec5e3ba8051466304a0b2140318f47b38b428edf3f818effaec86309be571db26ae622b9aa08e85826d4ffb1747d3f74ef87

    Download Submit

  • memory/1904-49-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1904-46-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1904-44-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2360-8-0x00007FFF81440000-0x00007FFF81DE1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2360-6-0x000000001B540000-0x000000001B548000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2360-7-0x000000001C970000-0x000000001C9BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2360-0-0x00007FFF816F5000-0x00007FFF816F6000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2360-5-0x000000001BBA0000-0x000000001BC3C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2360-21-0x00007FFF81440000-0x00007FFF81DE1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2360-4-0x000000001C3A0000-0x000000001C86E000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2360-3-0x00007FFF81440000-0x00007FFF81DE1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2360-2-0x00007FFF81440000-0x00007FFF81DE1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2360-1-0x000000001B580000-0x000000001B626000-memory.dmp

    Filesize

    664KB

    Download

  • memory/3032-41-0x0000000000400000-0x000000000049B000-memory.dmp

    Filesize

    620KB

    Download