Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

7046c23f48...18.exe

windows7-x64

10

7046c23f48...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2024, 16:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe

  • Size

    484KB

  • MD5

    7046c23f48f52b97038e69e782044cbd

  • SHA1

    e3e20833e358a5db26d3393f29e3eb8665aea9aa

  • SHA256

    5fad4bfd723fec95c1bf2427014bfff853d92aab283e8411af08a598a2e86590

  • SHA512

    2694e9b94f99d0e350427fd89408aef3ebd4c4ff656669d7599aca491aaf6547f14da11593d4c6b4bfe9bf22a3ec29abb484891356f169e20cbc6a5aff0ac4ba

  • SSDEEP

    12288:5P9GBWQch+L/ZgHP+v7xK0DmFwUfIp7JVyvWt1aBnSFAPHzeO:5PoBHch+uudKNffiv1aVSaPTeO

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 54 IoCs
    persistence
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Users\Admin\AppData\Local\Temp\7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Users\Admin\V6oUpCF0mC.exe
        C:\Users\Admin\V6oUpCF0mC.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3440
        • C:\Users\Admin\gkvuus.exe
          "C:\Users\Admin\gkvuus.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2456
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del V6oUpCF0mC.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4436
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2192
      • C:\Users\Admin\ayhost.exe
        C:\Users\Admin\ayhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4828
        • C:\Users\Admin\ayhost.exe
          "C:\Users\Admin\ayhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1872
      • C:\Users\Admin\byhost.exe
        C:\Users\Admin\byhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3708
        • C:\Users\Admin\byhost.exe
          "C:\Users\Admin\byhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:872
          • C:\Windows\explorer.exe
            000000D0*
            5⤵
              PID:4692
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 240
              5⤵
              • Program crash
              PID:2116
        • C:\Users\Admin\cyhost.exe
          C:\Users\Admin\cyhost.exe
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2548
          • C:\Users\Admin\cyhost.exe
            C:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Roaming\conhost.exe%C:\Users\Admin\AppData\Roaming
            4⤵
            • Executes dropped EXE
            PID:3408
          • C:\Users\Admin\cyhost.exe
            C:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
            4⤵
            • Executes dropped EXE
            PID:1436
        • C:\Users\Admin\dyhost.exe
          C:\Users\Admin\dyhost.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4136
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3936
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4172
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 872 -ip 872
      1⤵
        PID:3952

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\1B77.55B
        Filesize

        996B

        MD5

        cc926a0b7ee0c7f33e6439184dacb0d2

        SHA1

        cd8245f7b5c83e459e2a4cc4429f716d4157e200

        SHA256

        e08f808245962bed91fd8413e803c7aae064d88ac3f1159ef55c90f3578957fe

        SHA512

        b83123dba601772d64fd47398c1ed51dced0f229fd446b4add0de0e20b4284f9ecd1a0e7f8933c6ea7f819608d130ee7163ecc8e425a04b47bc1b17957aaa07f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\1B77.55B
        Filesize

        1KB

        MD5

        9dd436ed577c40b18e7a62c2936a5bd1

        SHA1

        7eedd25497f804f905937725b20b0f15e412371c

        SHA256

        b3c63e6264d0ccd393d6a44d753f66ee71d9d218f3c0704f9f281b4c74dcf1e9

        SHA512

        d8be1e258802a0aea44977f6a485a1a426a3653fdef924372c1a7cef2d332dd7ab067d466c187e731feb263ef9b79fc763e52c848ea28b8193793eac43910d43

        Download Submit

      • C:\Users\Admin\AppData\Roaming\1B77.55B
        Filesize

        600B

        MD5

        17a04449231717d35625b2f7c8859bcc

        SHA1

        49aaee4e309fe75bc1b29ac1d7613b0201f45f32

        SHA256

        96413b36a7f42fce7562a95aa0ac1e92e28da8e2c2e73dacb34db51f814d9206

        SHA512

        d6adf8350180af695f92b4c1dd507b35d7a194724f65005732d9a2d124e324b8650376b6608d469341313f1176e5cc1517ec62413a4a2bd0f9ed4e5e6a7068e5

        Download Submit

      • C:\Users\Admin\V6oUpCF0mC.exe
        Filesize

        332KB

        MD5

        b96dc0230580570446ab648e20a7e3b3

        SHA1

        27483df87ef7093d51062fb2d2fc9944f94c23fb

        SHA256

        2c65220c1c3ec6cb3282759e1d583b598ad43bf09484239325ae06b961bf0af0

        SHA512

        b8dd8743eb45f9dcc0d74b5cf450ef2950482e5c33dcdb5ab9494ad2e396d7ea5ebd80d477fca52a25a46cede6e2c31eb2647612090fda72d7e61e49913c042f

        Download Submit

      • C:\Users\Admin\ayhost.exe
        Filesize

        68KB

        MD5

        2c7c2d4e9c03a1818621def0e1281a81

        SHA1

        c92b29a7f6e9998c7a86b9b57cff15f28647a127

        SHA256

        9fb6cf502b6a872ed2e58666672db9fdc0eb57e6ff5a5677b6dbc8de42193f3e

        SHA512

        431cadf9b1d4de1dd0c5efebd5bae2af2ac0f6c98a2d71a5f7bc72e2421ecf77d67616d805bb643680192de6c8921e894a48a538276492567524c4267a4e4a66

        Download Submit

      • C:\Users\Admin\byhost.exe
        Filesize

        136KB

        MD5

        1d0f81b6e185ec95e716d2a0b2ba69a1

        SHA1

        09399ffa69ae8bfd9794104bc4b7b4f481980e3a

        SHA256

        abe89315434ce50001a90c9bdd662a0c42fa90d95acdf5baed5823d760e4f878

        SHA512

        6c4ecc1346bfc9952d7a1a2cb30ed5076bec24db099bb3fe20a248b19f56c075ff592d03100a1a3660ad5f47dfaff6a64b6b2bebe1bcbc7ce747f968a4c7e6b1

        Download Submit

      • C:\Users\Admin\cyhost.exe
        Filesize

        168KB

        MD5

        234bf3937f8fe09351acc53c059b40d2

        SHA1

        256f162b65eacc7a1fee35722fbfdbd55bba93c7

        SHA256

        86c568452305c3943eb7d1530cef65c75f6fac39d178082783db8b12fc8eef2b

        SHA512

        6c768729abebd0b9bde9712ee827262c433ac928bb638b9176ef7f4085c2d2b4fdfa3cacffdb7da477d23a1e0ce32e63cba2ab9ace1f45dfcc8109b2c68812b7

        Download Submit

      • C:\Users\Admin\dyhost.exe
        Filesize

        24KB

        MD5

        9814ec05c8857737f599ba75b1610fb1

        SHA1

        aa9d9b016c2feda03cf6ad1bbca332070eb9b295

        SHA256

        a68f44fa166ade605dfd2e5827a8ca3fa21141eda423c096d1f41d9bf172e597

        SHA512

        c9daf5d8015ab4d5e0c333b986e04a917a596aef6d61baf43f53e5da346e3e665cd16eb5da35726713689dca991a03fbfa137b7f3f879c77779a477a89a0268d

        Download Submit

      • C:\Users\Admin\gkvuus.exe
        Filesize

        332KB

        MD5

        7532644cf656c0ccc78f0219f47a6f34

        SHA1

        761409907deada22ae35eac10ab6de17aa9e1868

        SHA256

        51449a40730658ed36d47938afac16e8f24f71ae5ce56720b62252305c6da076

        SHA512

        07c2c88f897596855994d4a67dcf4b75555c2b764f323a637aa2efa41ab9dca5be8dfed617621e696cd8ade267b1e5d6d8ac25a7f76a91f4194222c6c3e277ca

        Download Submit

      • memory/872-65-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/872-63-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/1436-159-0x0000000000400000-0x0000000000448000-memory.dmp

        Filesize

        288KB

        Download

      • memory/1712-279-0x0000000000400000-0x00000000004BE000-memory.dmp

        Filesize

        760KB

        Download

      • memory/1712-2-0x0000000000400000-0x00000000004BE000-memory.dmp

        Filesize

        760KB

        Download

      • memory/1712-5-0x0000000000400000-0x00000000004BE000-memory.dmp

        Filesize

        760KB

        Download

      • memory/1712-87-0x0000000000400000-0x00000000004BE000-memory.dmp

        Filesize

        760KB

        Download

      • memory/1712-4-0x0000000000400000-0x00000000004BE000-memory.dmp

        Filesize

        760KB

        Download

      • memory/1872-55-0x0000000000400000-0x000000000040B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1872-53-0x0000000000400000-0x000000000040B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1872-56-0x0000000000400000-0x000000000040B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2548-160-0x0000000000400000-0x0000000000448000-memory.dmp

        Filesize

        288KB

        Download

      • memory/2548-275-0x0000000000400000-0x0000000000448000-memory.dmp

        Filesize

        288KB

        Download

      • memory/3408-80-0x0000000000400000-0x0000000000448000-memory.dmp

        Filesize

        288KB

        Download

      • memory/3708-67-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download