Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

4b5c150111...18.exe

windows7-x64

8

4b5c150111...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15/07/2024, 20:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe

  • Size

    112KB

  • MD5

    4b5c15011162caa9163748758048c8c9

  • SHA1

    283c30de200afb9c607203f9677771e351b8d625

  • SHA256

    10d2a8c67ed0682d61a1178b3c9f6d021eee72e6444b31749e43feabe990851c

  • SHA512

    360f14ecaf1abf528757db896927331be38f9bcdc49cb181d2438f67cb802f63d8630950b2f2791e0ce2a8748b56912ddac015cae614280ac3034907ae342dbc

  • SSDEEP

    1536:95LO7C3P3CO9Lgl9hqC6z7nO14WPjFrJf:95eAP3COafwm1R

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\WINDOWS\system\svchost.exe
      C:\WINDOWS\system\svchost.exe
      2⤵
      • Executes dropped EXE
      PID:2152
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\WINDOWS\system32\sunxyj.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s xyj.reg
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Runs .reg file with regedit
        PID:2236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\sunxyj.bat
    Filesize

    22B

    MD5

    a5e1a8facc10b673d42e4bca6d007287

    SHA1

    281a0d5319067f066455b0a0b9aa6c6492aec6d2

    SHA256

    b2edc50f3a9a79032dde68bc5cd2491127a70488dc8bd539fbef4186e73bcb11

    SHA512

    cec914883513ad1e5338ff985375a762d047e0992fa9d9aa6cd4e18e9dee3ae57da1cf70a9e2702f22fbddb9bda46ae459f6e6e9dd6391c21253e2924d40843c

    Download Submit

  • C:\Windows\SysWOW64\xyj.reg
    Filesize

    309B

    MD5

    79081c86f5fa286cb4465092a368fec5

    SHA1

    a8eecb7150985c8bf945ec10257a7aa43869c3fd

    SHA256

    267958578f32313ef5185714a6a85955c6dd52342a2cc1e36b9df240eeec0625

    SHA512

    aa430d8bd1fa7789ad781f6456e03c57cf110ac03485b810a2332695776eb3434810dbaa92d7907f86127577e8cc622deb4a69f99a46b4aa6e359fd7e9b1f42a

    Download Submit

  • C:\Windows\system\svchost.exe
    Filesize

    40KB

    MD5

    f878619f7e8438ba39f23529a45d17d4

    SHA1

    c69f80fa4489e376106b79d61c08cc97c00ef29f

    SHA256

    f40ae7cdaf6b5201b39d6046fdb95bcacf4ba8059534306de2a947a8b9567ef1

    SHA512

    a4f07159a15542ddee486081703649bf8fdc8dd5f4dbf6e80f29b0de6aa0a70ab74a90728a3f64333d65534cbe3b444ce9db823f5c2bcb6dc76f027297972ab0

    Download Submit