Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

460bd9a2df...18.exe

windows7-x64

8

460bd9a2df...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14/07/2024, 13:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe

  • Size

    333KB

  • MD5

    460bd9a2df6429fcc2fac0546ac3d0d5

  • SHA1

    e99f6b2e38e51b79d7273806b85d3c512672dd92

  • SHA256

    a8f5d5105e68655b4eda2dbc2302bf09991121a3776c3967d6cb1ea939d817f8

  • SHA512

    5747aef7d0b7eb64ab37e1f7f50425bc6d9fcb1e54ce7d1105860f39128391b99e18afacb83d838ea77183ee76fba3a299c925724e7f6cf6680f458df0b24a98

  • SSDEEP

    6144:MRAhhJxX7bNIKTQ/ary6Gpdp+8dbYCWATtANNkd0gcLdk2snWC8k:UsAL/WByCJoMz4Wxk

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Windows\spoolsv.exe
      C:\Windows\spoolsv.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Modifies registry class
      PID:1384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\concp32.exe
    Filesize

    334KB

    MD5

    b33b1391d384179863fd9dfbb84dd64f

    SHA1

    2b53286340836cebba1c067e353fa1fb42879051

    SHA256

    8420aac5462089a3baeaac73be78284952c22d469ef863747accd6d40687249a

    SHA512

    98b44bc89ca9a8eaa3f82a45eab5793f938475133fdc6ca91b6fb8035a29e9247e773139bea3cfbe6024b4a606f730f9c632c9afbaa00570542d57682b5319d1

    Download Submit

  • C:\Windows\spoolsv.exe
    Filesize

    336KB

    MD5

    e05712f62716e55e636545b1e25b4ee7

    SHA1

    7ab37b8bd58ab75dd0b5104f34ca52845efb9cf6

    SHA256

    b427ef75074834d000886f58347e6642008190ba1202dee812f79efca86f9aa3

    SHA512

    deabdfbd3f067b38f04a7ff122b7b5ef2550345c5c62e49ae10111175776942ea608f32a77e369e82b5405ecd30837a363c6c2951f1bb4bcc58339d40306083e

    Download Submit

  • memory/1384-15-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2392-6-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2392-14-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download