Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

4b70f83599...18.exe

windows7-x64

6

4b70f83599...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15/07/2024, 21:17 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b70f83599510d7a5e8835a3f54138b8_JaffaCakes118.exe

  • Size

    422KB

  • MD5

    4b70f83599510d7a5e8835a3f54138b8

  • SHA1

    b2b1bacca6baea0868b0f709d6570ea361fb6cc0

  • SHA256

    35a3cffedae27c865d539e4a17941bd56de3a957900ed4dd162fc2150a69dbb2

  • SHA512

    5547f4737133fde3cf2f5b6e063305d75cffe0071b69b2c78e1cfbd978b8cf51d28542933117e2a124aec3ec27046eb1f9a4124177644b642afa93d9e86f152c

  • SSDEEP

    12288:H3BEaZsRDHux7TSFqq2x49QTLpzkvFMPVrk7e0yk:hZsRDi7Tiv2x4eyMdrk7e0

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b70f83599510d7a5e8835a3f54138b8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4b70f83599510d7a5e8835a3f54138b8_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Checks for any installed AV software in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM MSASCui* /IM avg* /IM ash* /IM McSA* /IM msse*
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3032

Network

  • flag-us
    DNS
    report.countdom.net
    4b70f83599510d7a5e8835a3f54138b8_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    report.countdom.net
    IN A
    Response
  • 212.117.176.198:80
    4b70f83599510d7a5e8835a3f54138b8_JaffaCakes118.exe
    152 B
     3
  • 212.117.176.198:80
    4b70f83599510d7a5e8835a3f54138b8_JaffaCakes118.exe
    152 B
     3
  • 212.117.176.199:80
    4b70f83599510d7a5e8835a3f54138b8_JaffaCakes118.exe
    152 B
     3
  • 212.117.176.199:80
    4b70f83599510d7a5e8835a3f54138b8_JaffaCakes118.exe
    152 B
     3
  • 212.117.176.198:80
    4b70f83599510d7a5e8835a3f54138b8_JaffaCakes118.exe
    152 B
     3
  • 212.117.176.199:80
    4b70f83599510d7a5e8835a3f54138b8_JaffaCakes118.exe
    152 B
     3
  • 212.117.176.198:80
    4b70f83599510d7a5e8835a3f54138b8_JaffaCakes118.exe
    152 B
     3
  • 8.8.8.8:53
    report.countdom.net
    dns
    4b70f83599510d7a5e8835a3f54138b8_JaffaCakes118.exe
    65 B
     138 B
     1
    1

    DNS Request

    report.countdom.net

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1968-0-0x00000000001C0000-0x0000000000211000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1968-1-0x0000000000400000-0x0000000000488000-memory.dmp

    Filesize

    544KB

    Download

  • memory/1968-2-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1968-4-0x0000000000400000-0x0000000000488000-memory.dmp

    Filesize

    544KB

    Download

  • memory/1968-11-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1968-16-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1968-17-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.