Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

890e36b60d...18.exe

windows7-x64

7

890e36b60d...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11/08/2024, 04:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    890e36b60da9343f77a3d7e5a1e60516_JaffaCakes118.exe

  • Size

    218KB

  • MD5

    890e36b60da9343f77a3d7e5a1e60516

  • SHA1

    07561bc621f9a2c4e2ba8d7c58d8444b8c8b5737

  • SHA256

    03d8ee4d9958ad70ff66da334cf0fee831102c34648862ed3fe9b82a25af14aa

  • SHA512

    c0614e3c45738dc01662245ee855420d4c983cd7c0eba3bdab93f43a09d19d5edc88ac8770c025f54d25dc641d4e8ff03f054e006110a2a1de879f6cfd686afe

  • SSDEEP

    3072:+cPCtLvtaX/8wzVN1ZdOdXvPy0IiK4fit8sUTNwkklt99WJ5jO:+cMLYX/8whre1bIl38sUTNPkVUn

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\890e36b60da9343f77a3d7e5a1e60516_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\890e36b60da9343f77a3d7e5a1e60516_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im zrIvF
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2076
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:1296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2062300.dll
    Filesize

    157KB

    MD5

    23003b043d9e1bcfd9018530bffc7ebe

    SHA1

    42facd1899e7151bc3fc76621213866a915d9a28

    SHA256

    1857f7abe9a8f8a549230fe2cde5d81734bee0c63e5dfcaafd45db3c32ccb176

    SHA512

    e7f187218b4f1d5c1002aba01642d37f1cb358d38a5f7272f7c49743e87b05045e20380214323c05d5adf890277a4f3c3b4b26cba039016c53361820f133cbe5

    Download Submit

  • C:\Windows\SysWOW64\intnet.bmp
    Filesize

    2.2MB

    MD5

    978e903d42b3929d08facc269f5c38ad

    SHA1

    cbda3ef8d4960ab37e3f887101eb1e38a37aa992

    SHA256

    6e78c1ec35413cb697435dade9b27d54c32e49a57c8600ceb10d29b9c2af0ce2

    SHA512

    27cdf2acae505c6bfe7b6f3cfcc5a38b000b506d09289014a5b9e5643a83d14cc88dd315f9de071541ad610d830d8fd0026a689bab3fbe34acf9c9f6b2273489

    Download Submit

  • \??\c:\NT_Path.jpg
    Filesize

    99B

    MD5

    ad0c54822253dea45f8cfb04245b1ec6

    SHA1

    290334c3ad70ed87f79308b88492a355e5ad51c1

    SHA256

    1b87767be7571f22415d46a5c81e17788b8b2828ead5241923f16105a07adbc9

    SHA512

    1d63cc1cb46105a6d571ed68a1feb2fc78398ed1c70dbde1ef336ab7fc55ca6ceebb89a36e939b4c21d7b9c401c71c3724ef67c7c0f4164e23f9dd652e11767e

    Download Submit

  • memory/2032-12-0x0000000010000000-0x000000001002D000-memory.dmp

    Filesize

    180KB

    Download