Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

489969040d...18.exe

windows7-x64

8

489969040d...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15/07/2024, 06:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    489969040de8996c10112600b5af0102_JaffaCakes118.exe

  • Size

    624KB

  • MD5

    489969040de8996c10112600b5af0102

  • SHA1

    b84cb222f0f228f735bda64c222b6b1f4ad20a6a

  • SHA256

    600f0c7f3065a243989f6ce276bc0599e65163b88cc1ec3ae1fd64cf7f713b9d

  • SHA512

    df9526d91b4df620440377a2249f364f2409766266884b629530de2c0dab62e1b1c2ef27f4565b00c4c23629cb3e50abc44b643f34e34754376f80e955824c75

  • SSDEEP

    6144:q8WuvadI/lk4MGw2uTniKCcpOHykxJyjGvj3T:qJuOI9TpnGiK5OHtxd

Score
8/10
evasionexecutionpersistence

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in System32 directory 1 IoCs
  • Boot or Logon Autostart Execution: Time Providers 1 TTPs 4 IoCs

    The Windows Time service (W32Time) enables time synchronization across and within domains.

    persistence
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 8 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\489969040de8996c10112600b5af0102_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\489969040de8996c10112600b5af0102_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Users\Admin\AppData\Local\Temp\z.exe
      "C:\Users\Admin\AppData\Local\Temp\z.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Boot or Logon Autostart Execution: Time Providers
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\SysWOW64\sc.exe
        sc stop w32time
        3⤵
        • Launches sc.exe
        PID:1808
      • C:\Windows\SysWOW64\sc.exe
        sc config w32time start= auto
        3⤵
        • Launches sc.exe
        PID:2084
      • C:\Windows\SysWOW64\net.exe
        net start w32time
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:660
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 start w32time
          4⤵
            PID:776
        • C:\gvmdsj\app.exe
          C:\gvmdsj\app.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          PID:584
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2744

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\bak8011252.log
      Filesize

      39B

      MD5

      7cdf9efe6d348fb5f02b6d708bed157f

      SHA1

      c9f1808033ff7437245104ca4365cbfbac795c56

      SHA256

      74dae75c52e25f7cc33dca6c01329e97232651f24e62151cca305da300834416

      SHA512

      1af3c0fe1058ca6f067628876f10a831fd77adf862252a1176ee5fcf358e13a26a63d07c6b98a6aeda596af6dd3d9414a2e4ab7c562dec390ecf3517f74b99f6

      Download Submit

    • C:\temp.jpg
      Filesize

      28KB

      MD5

      25495f6452bbd173e6f8896299a3d28d

      SHA1

      5fea1e186623f8802e7214bf57fa37c6037af76f

      SHA256

      431fca043e704d0743cb5dc08cb9076a6c81af3fe58dacfaafe8a517dfb28bff

      SHA512

      93b8fc45e87d4045d52aa740f84707197d5c53dc56b2a86670ee6c4a17fffdeb55138c4b819c74b05a3f2b37408e4c05a2f331a32d415e4f0a4709bf95db1488

      Download Submit

    • \gvmdsj\app.exe
      Filesize

      15KB

      MD5

      c8c7f7472e5c059cbcc99d1eedd0d1ae

      SHA1

      10013a17639887f8c8ee2b37ec111352b9102832

      SHA256

      066bd9a9e327df4422beb4922e49be328db8adc1b7c6fad7e4b5f1c47c5655c9

      SHA512

      82762abeade3df840095f95f0559a1a6164e62bae3ff74e547df22dc59034b3ac65a540065aba2434798a6d3a8915ac455d564e0ab885333601fffa32e3272d0

      Download Submit

    • memory/2744-2-0x00000000000B0000-0x00000000000B2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2744-3-0x00000000003A0000-0x00000000003A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2744-33-0x00000000003A0000-0x00000000003A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2844-1-0x00000000003F0000-0x00000000003F2000-memory.dmp

      Filesize

      8KB

      Download