Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

83ef1d7992...18.exe

windows7-x64

7

83ef1d7992...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/08/2024, 23:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83ef1d799261ed45ad00488f7210639c_JaffaCakes118.exe

  • Size

    240KB

  • MD5

    83ef1d799261ed45ad00488f7210639c

  • SHA1

    71e28eb94341a1d8c77d159d95c72e1f3ea62705

  • SHA256

    9894be6e64187c5b681d5c0505b02d19926ff67ecce0f6f7bb4d94c28689b7e6

  • SHA512

    9cd5623190ab4f1f1f8daacd3ff80cb3e9b28b890f030b56659333a86c65246d22d962aae8aa8b0a86574fc707c96b2ca59d71253123209b6526c53ccd4f5ce2

  • SSDEEP

    6144:tZy5BoKvoyi7NGm9yCqSwDvQkqj+pyvBM790:jYe0LT0K8tj+Es0

Score
7/10
discoverypersistenceupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\83ef1d799261ed45ad00488f7210639c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\83ef1d799261ed45ad00488f7210639c_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Users\Admin\AppData\Local\Temp\83ef1d799261ed45ad00488f7210639c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\83ef1d799261ed45ad00488f7210639c_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\83ef1d799261ed45ad00488f7210639c_JaffaCakes118.exe"
        3⤵
          PID:4048
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 488
          3⤵
          • Program crash
          PID:3136
        • C:\Users\Admin\AppData\Roaming\1.exe
          C:\Users\Admin\AppData\Roaming\1.exe
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1124
          • C:\Windows\SysWOW64\svchost.exe
            "C:\Windows\System32\svchost.exe"
            4⤵
              PID:3036
            • C:\Windows\Svchost.exe
              C:\Windows\Svchost.exe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Drops file in System32 directory
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1248
              • C:\Windows\SysWOW64\regsvr32.exe
                regsvr32 /s "C:\Windows\system32\mswinsck.ocx"
                5⤵
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                PID:512
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1312 -ip 1312
        1⤵
          PID:2556

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\1.exe
          Filesize

          150KB

          MD5

          8a6ae017f002a7d9bd39cc4755ee8771

          SHA1

          7de6f53904a48956f8e2ecf91c5dd20b9e7b46f5

          SHA256

          e97f9845b38daae0d5b495cee21afa8ca20476c4122523256ee44ddb79715356

          SHA512

          1b9253013afebe61a685470a508ebae409311f8230cb65182fc16d8ed68bbaa891edad0e1a36401d878c46044df203c715c5c47acb70290a278d71d3818b6662

          Download Submit

        • C:\Users\Admin\AppData\Roaming\kernel33.dll
          Filesize

          625KB

          MD5

          358611b92e360a749054fdc7b6b076ea

          SHA1

          d6d2224161fee024ab3767a81ed57f7e57d0c1ce

          SHA256

          79782a87dfd093a0e4196d6f0aa4d46a55c0290f6145f5f8fa60e53c540f89b4

          SHA512

          0986c84ed52b42b3aeb96479032e188165d1fa1d5c7018e240b444e03eb6317365ea51fc0233263f7e97f099cd3ca3094ab0b177c0405816bc800b41f42523ad

          Download Submit

        • C:\Windows\SysWOW64\mswinsck.ocx
          Filesize

          105KB

          MD5

          9484c04258830aa3c2f2a70eb041414c

          SHA1

          b242a4fb0e9dcf14cb51dc36027baff9a79cb823

          SHA256

          bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

          SHA512

          9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

          Download Submit

        • C:\Windows\SysWOW64\zlib.dll
          Filesize

          27KB

          MD5

          200d52d81e9b4b05fa58ce5fbe511dba

          SHA1

          c0d809ee93816d87388ed4e7fd6fca93d70294d2

          SHA256

          d4fe89dc2e7775f4ef0dfc70ed6999b8f09635326e05e08a274d464d1814c617

          SHA512

          7b1df70d76855d65cf246051e7b9f7119720a695d41ace1eb00e45e93e6de80d083b953269166bdee7137dbd9f3e5681e36bb036f151cea383c10d82957f39c5

          Download Submit

        • memory/1124-20-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1124-32-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1248-50-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1248-69-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1248-35-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1248-77-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1248-75-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1248-49-0x0000000010000000-0x0000000010014000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1248-73-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1248-52-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1248-54-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1248-55-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1248-57-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1248-59-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1248-61-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1248-63-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1248-65-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1248-67-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1248-42-0x0000000002380000-0x00000000023A7000-memory.dmp

          Filesize

          156KB

          Download

        • memory/1248-71-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1312-3-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1312-4-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1312-23-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download