Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

884fa6f68e...18.exe

windows7-x64

8

884fa6f68e...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11/08/2024, 00:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    884fa6f68ebc37e897c4a7d7bb32a75f_JaffaCakes118.exe

  • Size

    51KB

  • MD5

    884fa6f68ebc37e897c4a7d7bb32a75f

  • SHA1

    011601fcb414846d72e7bcf3973ce0248e7ed35e

  • SHA256

    738cbb5e4c08c9e0384206c297ebb207dd8a64cce51ffaba62cce84053a92b75

  • SHA512

    61b33063b2673f5bd700b9c32aa0c3204002670ebb24b202fec5226650b23741db27e24a073894accb572417eb655d8cf43ca6bbce3b375119b5c7ac0b5a8c18

  • SSDEEP

    1536:E5urmX2eZwS2N6XG9IgTwHZ6ioZWZ3um4:B5yw6XG9fwXoZWt54

Score
8/10
discoverypersistenceupx

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\884fa6f68ebc37e897c4a7d7bb32a75f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\884fa6f68ebc37e897c4a7d7bb32a75f_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\system32\cPip.dll,DllRegisterServer
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\SysWOW64\Rundll32.exe
        C:\Windows\system32\Rundll32.exe C:\Windows\system32\cPip.dll,DllUnregisterServer
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:2888
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\system32\Hf0j9s.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 3 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Hf0j9s.bat
    Filesize

    249B

    MD5

    caa3b942e5f256e0e5d5e391eba60c77

    SHA1

    494e330f34949425c05677b7c3f40eba00fd67b1

    SHA256

    1f478625c0d307ace713724f213febce675522e28f31674f2668913dc72ada9c

    SHA512

    a0a34e2021e4ce7858e0941dde7d21f465aceb6b1cf9151242f35e70ce12ef1a4ba6438a4caaf78c8b662822c0e41721930d52a8994093bcb890a65cf6a46051

    Download Submit

  • C:\Windows\SysWOW64\cPip.dll
    Filesize

    32KB

    MD5

    3dc1d366a1761cb7ac93bf018f62ebe3

    SHA1

    6089904e3c6a70655a6be2550521e401952e7946

    SHA256

    4f1856de5e068c8be20580f338027210571de4c470e77eabc8246637f6651ed2

    SHA512

    c8dbf0dcb65b3de5fa2a229e606c09acdb1811c38ab8963b1e85a1cb816db1ea6bfa0416e5e09102656af9cc6c95157ddeb97934f2516ae6aea7bb6b99f562a0

    Download Submit

  • memory/2876-0-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2876-24-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download