Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

46bc5106f5...18.exe

windows7-x64

8

46bc5106f5...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    95s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/07/2024, 17:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46bc5106f5fe4f052ef7e81e72ef9e00_JaffaCakes118.exe

  • Size

    6.3MB

  • MD5

    46bc5106f5fe4f052ef7e81e72ef9e00

  • SHA1

    9c8d40e37c12ff826fe40bb754a9545540bb5cb4

  • SHA256

    e05b109dfccf2a012f2ca7103698e49716162b3a2167999cbaacb09e4befe26d

  • SHA512

    109eaa056f06c6fd7df04d523a65a1e21501f0b64d1e2089423d09733e9a63d394a4702220d9a1575af17a72ca569302c2908eed7f5b8ae11c1f44d16c868502

  • SSDEEP

    196608:PXY0CVT4ID7vg/w3fmuSyiMNRIdT4OQ4HA:QNVcIDTuw3fmUzRIZnA

Score
8/10
evasion

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 9 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\46bc5106f5fe4f052ef7e81e72ef9e00_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\46bc5106f5fe4f052ef7e81e72ef9e00_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mp4.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3524
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h CONFIG.exe
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:4908
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h mp4.bat
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:4192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CONFIG.exe
    Filesize

    7.8MB

    MD5

    6689d1437f7955660e6ff092cc31af66

    SHA1

    3dc878925f5bd915c82ff7e616da978ff43cc4af

    SHA256

    f271e8caab4a44a98d9afe125b805ee6d676e07a25524b459414430574521f50

    SHA512

    d7067387dde53985453c4e182ce1de0f17dbd89ff788b61b863ae67a413a85cdca23b7732a3a3d172d71a3b9a70501d97ad1def53adbe77012b6727d0603a113

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mp4.bat
    Filesize

    92B

    MD5

    de663029cbdea0bd94cd7dc80ed25366

    SHA1

    1c20609ac2d662f824cd24b1bed23a6715e8a76d

    SHA256

    8bd168d10029749a35b8bb6e63a8752dc8f21e75ed45c1b4395b8d59b4cc8c75

    SHA512

    7c2771d9e6d1c513427f7f6bf2eed42983a617acddc7e1655b4b56bf69b42c754fcfacc0921e8cd5e9b56d2e733cf7cedb481666801a2a0d0f53ee7de849214c

    Download Submit