Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

6fc6be59ef...18.exe

windows7-x64

7

6fc6be59ef...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2024, 13:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe

  • Size

    18KB

  • MD5

    6fc6be59efbb1e8ed408846e2d5e1651

  • SHA1

    6eac83d62b40f19eb2cba84c620c2b81862749b3

  • SHA256

    fb58c516ffc69852a75374ffd1fcde976bf025d47cd3a5c7e77f426f78c4e173

  • SHA512

    e22bd26fe2d44a76e182046a4f02c915551128e39cf8cdf11904492cda8a57233fd42d787c6809ae811907cf5cbe8977317a4ec51e81ee80921f39c6392f2497

  • SSDEEP

    384:4Z0NjUfyn3Dkot9qd1+94uqtTslF7YooiT+2j0FmllNGO9iG9OQ:4Bg3BtId1+9ETgWXiT1XJ0Q

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 5 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 42 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\TempIE.reg"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4776
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s "C:\Users\Admin\AppData\Local\Temp\TempIE.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Runs .reg file with regedit
        PID:2848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TempIE.reg
    Filesize

    2KB

    MD5

    7fc26795b4b8aa785f4d907a73db630c

    SHA1

    59298b634861f6f2ff36819fd27a9f8483323416

    SHA256

    e940d331af8cabb12926a66123a27ec902f513faf071d905fcc7a2525be164c5

    SHA512

    d55b85da998d9807f80b34b79f89c30251df4832044115a741c9419796635bbb09286eb79385bd9de0caf42b43e49e00b8b33cf022a117af5245f3288c0360ba

    Download Submit

  • C:\Users\Admin\Desktop\Internat Explorer.dll
    Filesize

    83B

    MD5

    ffade1cbb9dc3a534e65a9cb92d9fa87

    SHA1

    713cc6f8b1f562a0fa3b222419d9b78248b61407

    SHA256

    af1a79eaaaf6829158b5d5b07126002e558042547ace0d87fa83b21ec6aaaf2c

    SHA512

    32218e1980d8bb5a74824613ded82fa98271a85e4cd1b86cf06b821d8a3ef3cd6cdc38615810a450526db65b9d89c8c8b4d27229b718a4ae142ca92d804fbf3d

    Download Submit

  • memory/2832-0-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2832-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2832-15-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download