Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

5a23f1bf27...18.exe

windows7-x64

10

5a23f1bf27...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    19/07/2024, 02:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a23f1bf273620980f14915e8c2d62f0_JaffaCakes118.exe

  • Size

    24KB

  • MD5

    5a23f1bf273620980f14915e8c2d62f0

  • SHA1

    2482a33d4e60f9ca8143b477a05e3f2dd61c3f36

  • SHA256

    36755ad2e2d73260f3cebd70aa55e6d9579ad1c855c4370eb9c10cd4fe404967

  • SHA512

    405cd2bad6d8b57421277d06e4475cf09e07880e33803ee565ee45cf7ccb23dc32e3a55099d65ffc25fc8f1ec323a70aaeb5e593fdcbb12e9641f789d16c4f23

  • SSDEEP

    768:YzO6Ih2gCllQ/9R1PS6j//uom+TdsGXGq:YzM2BURBSSbjTu7q

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a23f1bf273620980f14915e8c2d62f0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5a23f1bf273620980f14915e8c2d62f0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\SysWOW64\svcser.exe
      C:\Windows\system32\svcser.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Windows\SysWOW64\svcser.exe
        C:\Windows\system32\svcser.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2036
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\a.bat" "
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\SysWOW64\attrib.exe
        attrib -a -r -s -h 5a23f1bf273620980f14915e8c2d62f0_JaffaCakes118.exe
        3⤵
        • Views/modifies file attributes
        PID:2880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\a.bat
    Filesize

    242B

    MD5

    70e3bc44459b183fc772ddf0025e4f37

    SHA1

    9358b1481a891781e485b7d0db597e6c5628585c

    SHA256

    188cb99afddda3aab8c994101c06cb7f9351b9a0ae5e2267bb2002327c31797f

    SHA512

    33b4dcbb19f1c18b15d714615eadc88a2166c74c02e3bb6963af9a6c8eebb14f9a1f5feab8a9a8f3870f123d39572a2f9f7a5e0bad7677fb941945d0926073c7

    Download Submit

  • \Windows\SysWOW64\svcser.exe
    Filesize

    24KB

    MD5

    5a23f1bf273620980f14915e8c2d62f0

    SHA1

    2482a33d4e60f9ca8143b477a05e3f2dd61c3f36

    SHA256

    36755ad2e2d73260f3cebd70aa55e6d9579ad1c855c4370eb9c10cd4fe404967

    SHA512

    405cd2bad6d8b57421277d06e4475cf09e07880e33803ee565ee45cf7ccb23dc32e3a55099d65ffc25fc8f1ec323a70aaeb5e593fdcbb12e9641f789d16c4f23

    Download Submit

  • memory/2036-31-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2036-27-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2312-18-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2312-26-0x0000000000330000-0x000000000034A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2312-43-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2312-44-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2312-45-0x0000000000330000-0x000000000034A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2508-2-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2508-15-0x00000000002D0000-0x00000000002EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2508-14-0x00000000002D0000-0x00000000002EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2508-0-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2508-1-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2508-41-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download