Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

489969040d...18.exe

windows7-x64

8

489969040d...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 06:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    489969040de8996c10112600b5af0102_JaffaCakes118.exe

  • Size

    624KB

  • MD5

    489969040de8996c10112600b5af0102

  • SHA1

    b84cb222f0f228f735bda64c222b6b1f4ad20a6a

  • SHA256

    600f0c7f3065a243989f6ce276bc0599e65163b88cc1ec3ae1fd64cf7f713b9d

  • SHA512

    df9526d91b4df620440377a2249f364f2409766266884b629530de2c0dab62e1b1c2ef27f4565b00c4c23629cb3e50abc44b643f34e34754376f80e955824c75

  • SSDEEP

    6144:q8WuvadI/lk4MGw2uTniKCcpOHykxJyjGvj3T:qJuOI9TpnGiK5OHtxd

Score
8/10
evasionexecutionpersistence

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Boot or Logon Autostart Execution: Time Providers 1 TTPs 4 IoCs

    The Windows Time service (W32Time) enables time synchronization across and within domains.

    persistence
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 8 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\489969040de8996c10112600b5af0102_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\489969040de8996c10112600b5af0102_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3860
    • C:\Users\Admin\AppData\Local\Temp\Q.exe
      "C:\Users\Admin\AppData\Local\Temp\Q.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Boot or Logon Autostart Execution: Time Providers
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4416
      • C:\Windows\SysWOW64\sc.exe
        sc stop w32time
        3⤵
        • Launches sc.exe
        PID:2152
      • C:\Windows\SysWOW64\sc.exe
        sc config w32time start= auto
        3⤵
        • Launches sc.exe
        PID:4476
      • C:\Windows\SysWOW64\net.exe
        net start w32time
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5020
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 start w32time
          4⤵
            PID:4924
        • C:\gvmdsj\app.exe
          C:\gvmdsj\app.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          PID:1564

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\bak8011252.log
      Filesize

      39B

      MD5

      8ec5e9c5b7ec787f5606b657c8978a07

      SHA1

      5dc17dfc496ae6ca915f8a4d179c899c8e41dbe8

      SHA256

      c1c4552850a26cc53eccd659cfcd4fc3627b0b1dd677d0040e2d16ca5405d579

      SHA512

      8ac9ac25aad558590e1a6c8a97f1c429b9fc38836ddb6428c9e1e0a8985ffe8f81b85e3ae84898bae344587a187d136eeb01337d3d17166cab81ef5571f0a4d2

      Download Submit

    • C:\gvmdsj\app.exe
      Filesize

      15KB

      MD5

      c8c7f7472e5c059cbcc99d1eedd0d1ae

      SHA1

      10013a17639887f8c8ee2b37ec111352b9102832

      SHA256

      066bd9a9e327df4422beb4922e49be328db8adc1b7c6fad7e4b5f1c47c5655c9

      SHA512

      82762abeade3df840095f95f0559a1a6164e62bae3ff74e547df22dc59034b3ac65a540065aba2434798a6d3a8915ac455d564e0ab885333601fffa32e3272d0

      Download Submit

    • memory/4416-10-0x0000000000400000-0x0000000005756000-memory.dmp

      Filesize

      83.3MB

      Download

    • memory/4416-24-0x0000000000400000-0x0000000005756000-memory.dmp

      Filesize

      83.3MB

      Download