Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

859ad0af1a...18.exe

windows7-x64

7

859ad0af1a...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    10/08/2024, 09:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    859ad0af1ab161183eaa046cd9ce3caf_JaffaCakes118.exe

  • Size

    3.6MB

  • MD5

    859ad0af1ab161183eaa046cd9ce3caf

  • SHA1

    4c25c86444cd0ebc1f1cc4d0e2f9fafd4cfc4728

  • SHA256

    78e8153fb5c219333faef9c402602ca367e0e99b9ab67186b889445190c1d775

  • SHA512

    6c4ec928da4b73e884c936a109965ad0236ef34a96973bfac822063ee1a40b6bf1e50b5c03bfb5ed4cd38e51c2789a5c00f147e544e4fc6269c99a0df2cc8a1b

  • SSDEEP

    49152:gi19lGb2ZVGwrmAuZPMZVUsPbS6OeaBYMGEb2MX2PZXZDKENd5FRrEabwH/e:RA2ZgAumZV/bVTMGEbR2P5ZvB4G

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\859ad0af1ab161183eaa046cd9ce3caf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\859ad0af1ab161183eaa046cd9ce3caf_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Users\Admin\AppData\Local\Temp\_D826.tmpac7d.exe
      "C:\Users\Admin\AppData\Local\Temp\_D826.tmpac7d.exe" -p"03:02 PM" -y -o"C:\Users\Admin\AppData\Roaming\AV Protection 2012"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:860
    • C:\Users\Admin\AppData\Roaming\AV Protection 2012\AntivirusProtection2012.exe
      "C:\Users\Admin\AppData\Roaming\AV Protection 2012\AntivirusProtection2012.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2768
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C dir "C:\Users\Admin\AppData\Roaming"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2888
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C dir "C:\Users\Admin\AppData\Roaming\AV Protection 2012"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_D826.tmpac7d.exe
    Filesize

    2.4MB

    MD5

    63b147e28c56653e5a11292937759648

    SHA1

    123f0d48fe574630f8c188dbe405c97eaa8b3243

    SHA256

    464be6a126e9d4542e7a5b3a93a884d6cfded39663c90a592d12aebbd0a6ba57

    SHA512

    0e58b1e13da846e22486a6be45b05876f53ebfb1582c61586fea7a7dbf8a8b949daf88180d29cec3702bfe7f82d6db6c88a59b5b38f78d2d98df1d709cac1901

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AV Protection 2012\AntivirusProtection2012.exe
    Filesize

    2.2MB

    MD5

    f4a982de11593759c432b72d9da5ddcb

    SHA1

    3bb8132821e4a2ebf486b7b5fe68b33134a997a3

    SHA256

    657d91849b78c8d4929869ab540630a588dd18b19a67f33fe75e97cbf028a205

    SHA512

    7fb896fe879b3646e029fc4e4d12be17167687a9a43d76e37d41de281ca0336cf0f48530628abff97dd40d1fa6fd9de3caed641c6119ed4d7e89e2e94a61669c

    Download Submit

  • memory/2604-45-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-1-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-2-0x0000000000401000-0x0000000000689000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/2604-50-0x0000000000400000-0x0000000000DDC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2604-48-0x0000000000400000-0x0000000000DDC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2604-0-0x0000000002C30000-0x0000000002FCE000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/2604-40-0x0000000000400000-0x0000000000DDC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2604-46-0x0000000000400000-0x0000000000DDC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2604-43-0x0000000002C30000-0x0000000002FCE000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/2604-42-0x0000000000400000-0x0000000000DDC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2768-39-0x0000000000400000-0x0000000001885000-memory.dmp

    Filesize

    20.5MB

    Download

  • memory/2768-56-0x0000000000400000-0x0000000001885000-memory.dmp

    Filesize

    20.5MB

    Download

  • memory/2768-41-0x0000000000400000-0x0000000001885000-memory.dmp

    Filesize

    20.5MB

    Download

  • memory/2768-47-0x0000000000400000-0x0000000001885000-memory.dmp

    Filesize

    20.5MB

    Download

  • memory/2768-37-0x0000000000400000-0x0000000001885000-memory.dmp

    Filesize

    20.5MB

    Download

  • memory/2768-49-0x0000000000400000-0x0000000001885000-memory.dmp

    Filesize

    20.5MB

    Download

  • memory/2768-38-0x0000000000400000-0x0000000001885000-memory.dmp

    Filesize

    20.5MB

    Download

  • memory/2768-51-0x0000000000400000-0x0000000001885000-memory.dmp

    Filesize

    20.5MB

    Download

  • memory/2768-54-0x0000000000400000-0x0000000001885000-memory.dmp

    Filesize

    20.5MB

    Download

  • memory/2768-44-0x0000000000400000-0x0000000001885000-memory.dmp

    Filesize

    20.5MB

    Download

  • memory/2768-58-0x0000000000400000-0x0000000001885000-memory.dmp

    Filesize

    20.5MB

    Download

  • memory/2768-60-0x0000000000400000-0x0000000001885000-memory.dmp

    Filesize

    20.5MB

    Download

  • memory/2768-62-0x0000000000400000-0x0000000001885000-memory.dmp

    Filesize

    20.5MB

    Download

  • memory/2768-64-0x0000000000400000-0x0000000001885000-memory.dmp

    Filesize

    20.5MB

    Download

  • memory/2768-66-0x0000000000400000-0x0000000001885000-memory.dmp

    Filesize

    20.5MB

    Download

  • memory/2768-68-0x0000000000400000-0x0000000001885000-memory.dmp

    Filesize

    20.5MB

    Download

  • memory/2768-70-0x0000000000400000-0x0000000001885000-memory.dmp

    Filesize

    20.5MB

    Download