Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

712a8410ea...18.exe

windows7-x64

10

712a8410ea...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2024, 20:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    712a8410eaaded45fe2c0520c3be6862_JaffaCakes118.exe

  • Size

    94KB

  • MD5

    712a8410eaaded45fe2c0520c3be6862

  • SHA1

    02001f0122c72be8cb89022f659fd3d902201ed6

  • SHA256

    6537f5c437525c989131cd29f1279b89519d22f6e5425eed03ece1570da63f15

  • SHA512

    57e64a9fa27ccb524783172470c42c21262c5df7267666842f20a779360d861dc6166ebffa0503e1e3b2033340572104835205476345a1315c1dd5f0924fbc6b

  • SSDEEP

    1536:7xdfvoglDRkdLBiZChfjAzik8h27chGPE1xIaiCOmaxhm+Gie7lYRq+hoEEJQ5Gb:7rfvo2FGLoWAztv7cEPEP9iCO9xhm+GZ

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\712a8410eaaded45fe2c0520c3be6862_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\712a8410eaaded45fe2c0520c3be6862_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:556
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$c9904.tmp.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4608
    • C:\Program Files\Windows Media Player\svchost.exe
      "C:\Program Files\Windows Media Player\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Media Player\svchost.exe
    Filesize

    94KB

    MD5

    712a8410eaaded45fe2c0520c3be6862

    SHA1

    02001f0122c72be8cb89022f659fd3d902201ed6

    SHA256

    6537f5c437525c989131cd29f1279b89519d22f6e5425eed03ece1570da63f15

    SHA512

    57e64a9fa27ccb524783172470c42c21262c5df7267666842f20a779360d861dc6166ebffa0503e1e3b2033340572104835205476345a1315c1dd5f0924fbc6b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\$$c9904.tmp.bat
    Filesize

    261B

    MD5

    f94841c1ddeac11c79fdf6aeb165c121

    SHA1

    fe615ee260aea6cd72fc601c9e1b98037d76320e

    SHA256

    e8fa0df2a59217d0375ecafdb1ee003ae38c7c26d14aa2c703d332f73ff393d9

    SHA512

    ae85443ad187369ce3065b9789b9fa61fc50d2a1cf6beb415d88d54a0e7cacaebd9a37d7c55bcb3c9bd06d43bbd6e38ef59620113602334f764dddbe61377a58

    Download Submit

  • C:\Windows\SysWOW64\PDLL.dll
    Filesize

    136KB

    MD5

    8094a47d7aa849d45c2f90fd4d2b4d41

    SHA1

    50fe4a5663c15e6d41c49d0a5adc1c5ab4e7eb87

    SHA256

    9db34dc09856f80ed7b07631979b01507dc307fcb6bd4a9ca1d7662880946edb

    SHA512

    58c441ec4e0e126594dd17397c04602c0dcb0198920487434b5da4f924cd2bf22b56e4e85a7aadb5d3502b053da539a65aa9b6ea116e17f5a8eb7c792c8d5b93

    Download Submit

  • memory/556-0-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/556-1-0x0000000000520000-0x0000000000540000-memory.dmp

    Filesize

    128KB

    Download

  • memory/556-8-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1872-9-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1872-17-0x00000000027E0000-0x000000000281A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1872-18-0x0000000002820000-0x0000000002840000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1872-19-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1872-20-0x00000000027E0000-0x000000000281A000-memory.dmp

    Filesize

    232KB

    Download