Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

7860abaaa0...18.exe

windows7-x64

7

7860abaaa0...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 13:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7860abaaa00175fdf18453f6f57b2428_JaffaCakes118.exe

  • Size

    312KB

  • MD5

    7860abaaa00175fdf18453f6f57b2428

  • SHA1

    dd41d27f6485064e0a4c0d3a4665bbb5e10a3249

  • SHA256

    5e7ef93ee2a2ecfd97f4f1bc15ab912271830e3bcdb299b9d4e12b5c7b6af688

  • SHA512

    c2f5ba90695511ab3c23c8ec4d1b7df595a0a3f6cc9d5b9730c466d0b4dc7810a84ce9578188646f143a607f8b76cab7d7ecb57828911211440f6719300ba9ab

  • SSDEEP

    6144:aO2SIguO3/V/rh09eNQBasDUD371exkAK5R04+woOhXLwez:FfPvVFHNTz71exkhaOhse

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7860abaaa00175fdf18453f6f57b2428_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7860abaaa00175fdf18453f6f57b2428_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3888
  • C:\Windows\Hacker.com.cn.exe
    C:\Windows\Hacker.com.cn.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3676
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      2⤵
        PID:112

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Hacker.com.cn.exe
      Filesize

      312KB

      MD5

      7860abaaa00175fdf18453f6f57b2428

      SHA1

      dd41d27f6485064e0a4c0d3a4665bbb5e10a3249

      SHA256

      5e7ef93ee2a2ecfd97f4f1bc15ab912271830e3bcdb299b9d4e12b5c7b6af688

      SHA512

      c2f5ba90695511ab3c23c8ec4d1b7df595a0a3f6cc9d5b9730c466d0b4dc7810a84ce9578188646f143a607f8b76cab7d7ecb57828911211440f6719300ba9ab

      Download Submit

    • C:\Windows\uninstal.bat
      Filesize

      218B

      MD5

      5e5f6876bc8c87c70dfe69eeb19d5d9b

      SHA1

      fced1376d36e8ba9a0f8c5fd0b81364012f8ada1

      SHA256

      74e745cc7d3073720851d860d4de9bdc3d276f577d53b294c7c2afbbebe5a4c4

      SHA512

      0da66808092c108495ee9181dbc3b4e41dd43a723d017d8a6bc8632937a841af5429eb0392d321ab9e016e00c020d9519f3f81563c7c80a35bd7999b5e116ca9

      Download Submit

    • memory/2876-0-0x0000000000400000-0x0000000000561000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2876-1-0x0000000000620000-0x0000000000621000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2876-2-0x0000000000400000-0x0000000000561000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2876-3-0x0000000000B80000-0x0000000000B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2876-12-0x0000000000400000-0x0000000000561000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3676-8-0x0000000000400000-0x0000000000561000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3676-9-0x0000000000610000-0x0000000000611000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3676-14-0x0000000000400000-0x0000000000561000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3676-16-0x00000000005E0000-0x00000000005E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3676-17-0x0000000000610000-0x0000000000611000-memory.dmp

      Filesize

      4KB

      Download