Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

4bdef79bc1...18.exe

windows7-x64

7

4bdef79bc1...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 23:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4bdef79bc1f1709049f3f4e1aefa9d3a_JaffaCakes118.exe

  • Size

    17KB

  • MD5

    4bdef79bc1f1709049f3f4e1aefa9d3a

  • SHA1

    1f923501094b234ef59596adab187874f734e882

  • SHA256

    160d68f65b5ab4690993398f63a3407d113f5ce70e35aee6a44e1b36b637047c

  • SHA512

    30a210ba33ef4eb6bc32cb50d93d2b46376d90b0ff90cebfa00873721e6fe45efdc7f576af18e7c1d57d3032006d3e5ddc59df62fa9020fe19e1201c9a8e07c9

  • SSDEEP

    384:Ny+26QIVmapXo0rridertW0w0PBVrivaa2zFAVhh:NLFQI/YirCkwGV2yFzFi

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 5 IoCs
  • Runs net.exe
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4bdef79bc1f1709049f3f4e1aefa9d3a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4bdef79bc1f1709049f3f4e1aefa9d3a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3520
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\a.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Windows\SysWOW64\net.exe
        net stop "Security Center"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4720
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Security Center"
          4⤵
            PID:4572
        • C:\Windows\SysWOW64\net.exe
          net stop winvnc4
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4536
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop winvnc4
            4⤵
              PID:3800
      • C:\Windows\utorrent.exe
        "C:\Windows\utorrent.exe"
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:4848
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\a.bat" "
          2⤵
            PID:1776

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\utorrent.exe
          Filesize

          17KB

          MD5

          4bdef79bc1f1709049f3f4e1aefa9d3a

          SHA1

          1f923501094b234ef59596adab187874f734e882

          SHA256

          160d68f65b5ab4690993398f63a3407d113f5ce70e35aee6a44e1b36b637047c

          SHA512

          30a210ba33ef4eb6bc32cb50d93d2b46376d90b0ff90cebfa00873721e6fe45efdc7f576af18e7c1d57d3032006d3e5ddc59df62fa9020fe19e1201c9a8e07c9

          Download Submit

        • C:\a.bat
          Filesize

          71B

          MD5

          4db2c561024318efaf926a8e0a6ebc36

          SHA1

          8e3060152b239e7c7bc488e79030b9e3c13de066

          SHA256

          f9ea85780a059d9338c359925ec487588102ef55be4062ec4ac19efc8af59f0f

          SHA512

          df700bc9348e147ceb1db687974c567fdff052d73eb4709b718f3b3dfaf44116a5a70c0ae62438416888c0783a575e524f501da1308bbc987443ec3c852bef99

          Download Submit

        • memory/3520-10-0x0000000000400000-0x000000000094F71D-memory.dmp

          Filesize

          5.3MB

          Download

        • memory/4848-11-0x0000000000400000-0x000000000094F71D-memory.dmp

          Filesize

          5.3MB

          Download

        • memory/4848-13-0x0000000000400000-0x000000000094F71D-memory.dmp

          Filesize

          5.3MB

          Download

        • memory/4848-16-0x0000000000400000-0x000000000094F71D-memory.dmp

          Filesize

          5.3MB

          Download

        • memory/4848-19-0x0000000000400000-0x000000000094F71D-memory.dmp

          Filesize

          5.3MB

          Download

        • memory/4848-22-0x0000000000400000-0x000000000094F71D-memory.dmp

          Filesize

          5.3MB

          Download

        • memory/4848-24-0x0000000000400000-0x000000000094F71D-memory.dmp

          Filesize

          5.3MB

          Download