Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

719ae9c704...18.exe

windows7-x64

6

719ae9c704...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2024, 23:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    719ae9c704f6f32f2dc75e78a0561056_JaffaCakes118.exe

  • Size

    389KB

  • MD5

    719ae9c704f6f32f2dc75e78a0561056

  • SHA1

    741653be095334d5d30f0573166715da9604a62e

  • SHA256

    16df2c97a360e199f3fc56c60196ddc74ab5e638b83378f4137e2cd87e37530b

  • SHA512

    59abadfffe7f6fc9b9fec84c638fa57c3b7b5f7f6e7525cf2b97914a78fe699a9a71e8a4124929eb594a0fd1014073322dd6ef575e632e3838e65d1b63a6dba5

  • SSDEEP

    6144:CTjNddmi0JzmImfPVhHk0813ejg57nrV7IubXoXjTNlmiiswQYtd+YhyPNHCl/:2Ndd3+zmn1U1u+rVUmoX0swrtd7G5o

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\719ae9c704f6f32f2dc75e78a0561056_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\719ae9c704f6f32f2dc75e78a0561056_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3512
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\explore.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s svchost.reg
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:4960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\svchost.reg
    Filesize

    132B

    MD5

    05ca0b49ce6eb0d27bdbbe9b947861bd

    SHA1

    9e56210702a0d6a78b07d82e155b4fea61688798

    SHA256

    7b411b130d8cb5441f033eb73db9976ff406cce95cb615d7772788c04a0c1876

    SHA512

    4301db74d4a2289a72045e745d014e8269b5a408deff1019da30742d3a68262ce55e354153ce192b01707398715578092f3215721ae1c62b6b043b5772485d77

    Download Submit

  • C:\explore.bat
    Filesize

    720B

    MD5

    7133aaab6f38a7a7798a7c682e567d24

    SHA1

    6b067c68b0b3b265f7dcd3be78c7a487e2c00b74

    SHA256

    d507a7108133e9cc2c5ad94bbafab4b55bc19bb9544a780c5d73adbb240c8cc2

    SHA512

    7af38dc13985353512335b4104da4173998ce92f90b9fed6ef243024a9a89c52c6140e1469987d66dc255674e2fcde98d19c3c2c04db8bebf805d3e55f3b2228

    Download Submit

  • memory/3512-0-0x0000000002300000-0x0000000002301000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3512-13-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download

  • memory/3512-15-0x0000000002300000-0x0000000002301000-memory.dmp

    Filesize

    4KB

    Download