Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

452c03079c...18.exe

windows7-x64

10

452c03079c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    14s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14/07/2024, 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    452c03079c479667f61a329eeebf79b0_JaffaCakes118.exe

  • Size

    33KB

  • MD5

    452c03079c479667f61a329eeebf79b0

  • SHA1

    812785745a1aad6bf53486b6558252a47dcb4d39

  • SHA256

    993ba2778a53990821d0fc5d16e597a6df53c9ba47d3a1dfee102872f58de015

  • SHA512

    c8cda4e5e3b54db22ba970152d41348748a1f26d8732c19bb06ded980d7918318868122d54d5cc25c468a481b283abc5be8c762c9da41ef8f8581f8405822255

  • SSDEEP

    768:EuUv9Fk8jvbj3BmXPwO80I/w2U2zNH9ykEhBr4KNY1oggihr:ExLk8j/RmXF8dtzNH9xEYFOU

Score
10/10
evasionexecutionupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 8 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\452c03079c479667f61a329eeebf79b0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\452c03079c479667f61a329eeebf79b0_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\SysWOW64\net.exe
      net stop cryptsvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop cryptsvc
        3⤵
          PID:2728
      • C:\Windows\SysWOW64\sc.exe
        sc config cryptsvc start= disabled
        2⤵
        • Launches sc.exe
        PID:2456
      • C:\Windows\SysWOW64\sc.exe
        sc delete cryptsvc
        2⤵
        • Launches sc.exe
        PID:2476
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Users\Admin\AppData\Local\Temp\1720948063.dat, ServerMain c:\users\admin\appdata\local\temp\452c03079c479667f61a329eeebf79b0_jaffacakes118.exe
        2⤵
        • Deletes itself
        • Loads dropped DLL
        PID:3032

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1720948063.dat
      Filesize

      33KB

      MD5

      eee3c37298639cd1c47dfce399e422ea

      SHA1

      4a2928b3a251bdac5573d797722de18bdefc97a2

      SHA256

      374da93eaa08af95f3e7fbac3499b3791236f29960e11b4168c0ffd945824784

      SHA512

      b459a1c699adca9f4f7ff4f46a4389c3a2c9e26d4829b0c46782e8db7299701d1d4c2382aa5c1f9435012b311abb94eef4128f49eb270fcdec9b60914925d5f5

      Download Submit

    • memory/1996-0-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1996-10-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download