Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

4be8ed86e1...18.exe

windows7-x64

7

4be8ed86e1...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    94s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 23:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4be8ed86e17763d30115400b9bfdb325_JaffaCakes118.exe

  • Size

    298KB

  • MD5

    4be8ed86e17763d30115400b9bfdb325

  • SHA1

    e838fb964812f7185a0d4d11373f63cc55b98e05

  • SHA256

    70888da1e4742ba9c39375af1a929736f519e4b7d85ffe5595404f067dcea399

  • SHA512

    da69abf8d9412a1b6c8367c5e6e7fe9fe7edf86439996c9f6cf049d6f0d9a239ab6ea95e305d9ef5c95a70240ee2af2945d992c2a2a4ab12cf8955cbdcb71ceb

  • SSDEEP

    6144:yRHUlXZmcUtyKNVwWJcsf3r1qfw9EYjOUt6f8H0p1SpaFqed:ZmcUtHbcsPpCw+LUkqA1D

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3428
      • C:\Users\Admin\AppData\Local\Temp\4be8ed86e17763d30115400b9bfdb325_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\4be8ed86e17763d30115400b9bfdb325_JaffaCakes118.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3744
        • C:\Users\Admin\AppData\Local\Temp\SAB9AE8.exe
          "C:\Users\Admin\AppData\Local\Temp\SAB9AE8.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:2496
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c start iexplore -embedding
            4⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:1276
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1028
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1028 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2160
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\AFG9C5F.bat"
            4⤵
              PID:4460
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 584
              4⤵
              • Program crash
              PID:2584
          • C:\Users\Admin\AppData\Local\Temp\SAB9C41.exe
            "C:\Users\Admin\AppData\Local\Temp\SAB9C41.exe"
            3⤵
            • Executes dropped EXE
            PID:3004
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2496 -ip 2496
        1⤵
          PID:2156

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5HI12B12\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\AFG9C5F.bat
          Filesize

          188B

          MD5

          1bdcf848a10aa36bdc9c37746c5af0ff

          SHA1

          7ccba81a04962932424412dfc35c42046e61a16c

          SHA256

          5a39381627dd111dddf73aaf08432f31858bd777da1d2536637c930f57dc8e94

          SHA512

          26f02f6407a79467759368b393f3caa6c37fd4a5b3199526c84a915310e4ed82146744d6452ebf07251c6dd81790de6925b744f23e37712e329beb95a3da1f0f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\AFG9C5F.tmp
          Filesize

          60KB

          MD5

          e0580110d563b9825819840a3a5acc57

          SHA1

          8ad196cac4f4ba2cae767a296a5167b1b59404ab

          SHA256

          e55789fb610deadf5b2f1e1653ecd3cce065e1e79aa0125eb92af5d4573b2f95

          SHA512

          8e9c2cacf697bca7a9a2f84b4bcbaf626caf5a931fabbbc0617f1cc1bfb0625e90a28317ab708af9e178d7703d5f8b898c0b4950996b8f49b3924563e88b4852

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\SAB9AE8.exe
          Filesize

          133KB

          MD5

          a2b3a7c27f6569858d2dbfbf1f4858d4

          SHA1

          93ed7e0517176342b7f70393776b54ba918e3bf5

          SHA256

          2a364ae850abf4ab7cafd81332151b19b5ec062e33ba71113cfda5a619963690

          SHA512

          1bd0c959f19b7d2b91832e878d5849e3184ce26c7efc4cab0f03ef510b7a9c932d207414a948cf8fdd7c1f17ff90c27a5874804268df996a65fc2a29e414f463

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\SAB9C41.exe
          Filesize

          90KB

          MD5

          d3457d4d1fc2c4ccb383a099a6d464f2

          SHA1

          213f013aa924c5e957ae32ad5e94f0df45039ad5

          SHA256

          a82c6534fb86e5cb189f20b9b11cb76f6845beedd5be5fb4a6dd313db08eaf8a

          SHA512

          6f04f77886b6f21529125a46771637da74255f0f5f48ef7360cf7c66c7fdf161f706bc9423bc7f4cd584eb1f8df31677892b5ae2b9c064437b27fec42e16f1b8

          Download Submit

        • memory/3004-19-0x0000000000060000-0x0000000000078000-memory.dmp

          Filesize

          96KB

          Download

        • memory/3004-20-0x0000000000060000-0x0000000000078000-memory.dmp

          Filesize

          96KB

          Download

        • memory/3004-21-0x0000000000040000-0x000000000005C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/3428-30-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

          Filesize

          4KB

          Download