Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

47aede6146...18.exe

windows7-x64

8

47aede6146...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15/07/2024, 01:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    47aede614651f6b6da07fa85c6530bd0_JaffaCakes118.exe

  • Size

    314KB

  • MD5

    47aede614651f6b6da07fa85c6530bd0

  • SHA1

    ea59ca4373f792d475775ccea6d81b2347b1a6cd

  • SHA256

    84b6fed45c78692909d800bda2f89830de123955484fea040f0026e3d122e3a3

  • SHA512

    32fc1c21be06719fa1932464f733e567f5a9c13abfbe522603a3c05ae4c5ac1df6dc92fe4838f612ec7af87876a5ac99188d75b9b391ca6e7d946b2a5ed9c273

  • SSDEEP

    6144:MRAhhJxX7bNIAROzTuft0Mt+til+XDVLMBvZahDzElq0oAU7UBIMA:UsAAPF0Mt+Il+z3pR+a

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47aede614651f6b6da07fa85c6530bd0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\47aede614651f6b6da07fa85c6530bd0_JaffaCakes118.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Modifies registry class
      PID:340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\concp32.exe
    Filesize

    314KB

    MD5

    2892ad3af6d4ce35731c7ced6fccde4b

    SHA1

    32b295f0449680034b50b04913ea8868d342ce4e

    SHA256

    6264c02db691b37e6f2356930186409aaa684962f3331e51f99f246c0c4f2065

    SHA512

    5f1f376a5b942ab40d0c1ae42427e4cfcaee7c0e29b61368d892f0eaef4bc27941806bfcd313d819e4d01c497f176d68d81af6bb3da6263cbe25ccf3114cdba1

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    317KB

    MD5

    ed79335ce52323625b23e71f46a32227

    SHA1

    8d93b4269b6df0b69a7dd8eec13cacbf119c4baf

    SHA256

    5f8eaeeb06e88f6bed85031a6427440ee8b8aa56dea1fdb0169dbf8efbfb0d02

    SHA512

    cff5c2ad4fbd4118b7579fe5fafe9e47d44d09340d534fea567b1f40dfbb870544eb49810a668b556dab76c2d299316b189c15c17264d9f069c3ea712cc53bbe

    Download Submit

  • memory/340-15-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2716-0-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2716-14-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download