Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

6f454cf4b6...18.exe

windows7-x64

7

6f454cf4b6...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/07/2024, 10:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f454cf4b6006fd3f5ddbfaeb33750ba_JaffaCakes118.exe

  • Size

    976KB

  • MD5

    6f454cf4b6006fd3f5ddbfaeb33750ba

  • SHA1

    c19b515767c21ba8a2647182567064a11a2cbf90

  • SHA256

    2d50c7a4049bca0257fbeef74aaa4f50888276a83b88f050e79364e7383d6cdd

  • SHA512

    08fffeb178f46b88fba80fe25a81a952095e7922c3aaf58133c5fa3eeac14f93e263d8fb78b88b6869b2bf82c2555060bce08274eaac05f2df52f47094b8fcc9

  • SSDEEP

    24576:T3YdyAeukW5AJJcZlmRhzogTSvvN/5icIKAV7W:T3YgHclK1E/5ipjV

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f454cf4b6006fd3f5ddbfaeb33750ba_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6f454cf4b6006fd3f5ddbfaeb33750ba_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:696
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\Delete.BAT
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2072
  • C:\Windows\TrueImage.exe
    C:\Windows\TrueImage.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      2⤵
        PID:2760

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Delete.BAT
      Filesize

      214B

      MD5

      ae6375808b087cda6c70d46a896c1a66

      SHA1

      0990f9b25ae4101007df8b1f381fcee5a8b4f667

      SHA256

      293f55a208b7e502b5747264ff2a799c8be52c5596ece77aa24b87195a7a850e

      SHA512

      73e121d08955df8e9fbc500078276aabbe4aa3745507e0c3756cc01cec646f0820813086b5a2efa86e4b6c45054db14e88515f1e7f0a8dcd64fda3fbfb690e01

      Download Submit

    • C:\Windows\TrueImage.exe
      Filesize

      976KB

      MD5

      6f454cf4b6006fd3f5ddbfaeb33750ba

      SHA1

      c19b515767c21ba8a2647182567064a11a2cbf90

      SHA256

      2d50c7a4049bca0257fbeef74aaa4f50888276a83b88f050e79364e7383d6cdd

      SHA512

      08fffeb178f46b88fba80fe25a81a952095e7922c3aaf58133c5fa3eeac14f93e263d8fb78b88b6869b2bf82c2555060bce08274eaac05f2df52f47094b8fcc9

      Download Submit

    • memory/696-1-0x0000000000400000-0x00000000004F4000-memory.dmp

      Filesize

      976KB

      Download

    • memory/696-4-0x0000000000260000-0x0000000000261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/696-19-0x0000000000400000-0x00000000004F4000-memory.dmp

      Filesize

      976KB

      Download

    • memory/2760-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2760-21-0x0000000000400000-0x00000000004F4000-memory.dmp

      Filesize

      976KB

      Download

    • memory/3040-7-0x0000000000400000-0x00000000004F4000-memory.dmp

      Filesize

      976KB

      Download

    • memory/3040-8-0x0000000000270000-0x0000000000271000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3040-26-0x0000000000400000-0x00000000004F4000-memory.dmp

      Filesize

      976KB

      Download