Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

89443f440d...18.exe

windows7-x64

8

89443f440d...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    23s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11/08/2024, 06:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89443f440d1ad224dc477da385537228_JaffaCakes118.exe

  • Size

    455KB

  • MD5

    89443f440d1ad224dc477da385537228

  • SHA1

    3b04e1d02a3d563f95db27091f0357eaf93121f2

  • SHA256

    16912916e639bbf566bedc9041a72cea4865c16eb0adbc289e635a0e4ede20e8

  • SHA512

    fae1e6c86eca30840e5d3574c4a90debab6054316abd7cf686407a5a7a8553cb7ed347cee13bb72c832e5ecba541119afe23d0f32b60b7e83b6c9099affa9e36

  • SSDEEP

    12288:+oUy2e41WHTg2AVqz91BbFlgzJnBhl11UMMnMMMMM:+oT419hVqhDbFyJnBhlPUMMnMMMMM

Score
8/10
discoveryevasionpersistence

Malware Config

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\89443f440d1ad224dc477da385537228_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1048
    • C:\ProgramData\mLVrrSBWxbwm.exe
      "C:\ProgramData\mLVrrSBWxbwm.exe"
      2⤵
      • Executes dropped EXE
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:900

Network

  • flag-us
    DNS
    clickbore.org
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    clickbore.org
    IN A
    Response
  • flag-us
    DNS
    clickbore.org
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    clickbore.org
    IN A
  • flag-us
    DNS
    clickwinston-salem.org
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    clickwinston-salem.org
    IN A
    Response
  • flag-us
    DNS
    clickwinston-salem.org
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    clickwinston-salem.org
    IN A
    Response
  • flag-us
    DNS
    clickhartford.org
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    clickhartford.org
    IN A
    Response
  • flag-us
    DNS
    searchbell.org
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    searchbell.org
    IN A
    Response
  • flag-us
    DNS
    searchany.org
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    searchany.org
    IN A
    Response
  • flag-us
    DNS
    clickicy.org
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    clickicy.org
    IN A
    Response
  • flag-us
    DNS
    clickicy.org
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    clickicy.org
    IN A
    Response
  • flag-us
    DNS
    clickicy.org
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    clickicy.org
    IN A
  • flag-us
    DNS
    searchbrick.org
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    searchbrick.org
    IN A
    Response
  • flag-us
    DNS
    searchbrick.org
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    searchbrick.org
    IN A
  • flag-us
    DNS
    searchbrick.org
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    searchbrick.org
    IN A
No results found
  • 8.8.8.8:53
    clickbore.org
    dns
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    118 B
     141 B
     2
    1

    DNS Request

    clickbore.org

    DNS Request

    clickbore.org

  • 8.8.8.8:53
    clickwinston-salem.org
    dns
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    136 B
     300 B
     2
    2

    DNS Request

    clickwinston-salem.org

    DNS Request

    clickwinston-salem.org

  • 8.8.8.8:53
    clickhartford.org
    dns
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    63 B
     145 B
     1
    1

    DNS Request

    clickhartford.org

  • 8.8.8.8:53
    searchbell.org
    dns
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    60 B
     142 B
     1
    1

    DNS Request

    searchbell.org

  • 8.8.8.8:53
    searchany.org
    dns
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    59 B
     141 B
     1
    1

    DNS Request

    searchany.org

  • 8.8.8.8:53
    clickicy.org
    dns
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    174 B
     280 B
     3
    2

    DNS Request

    clickicy.org

    DNS Request

    clickicy.org

    DNS Request

    clickicy.org

  • 8.8.8.8:53
    searchbrick.org
    dns
    89443f440d1ad224dc477da385537228_JaffaCakes118.exe
    183 B
     143 B
     3
    1

    DNS Request

    searchbrick.org

    DNS Request

    searchbrick.org

    DNS Request

    searchbrick.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \ProgramData\mLVrrSBWxbwm.exe
    Filesize

    455KB

    MD5

    89443f440d1ad224dc477da385537228

    SHA1

    3b04e1d02a3d563f95db27091f0357eaf93121f2

    SHA256

    16912916e639bbf566bedc9041a72cea4865c16eb0adbc289e635a0e4ede20e8

    SHA512

    fae1e6c86eca30840e5d3574c4a90debab6054316abd7cf686407a5a7a8553cb7ed347cee13bb72c832e5ecba541119afe23d0f32b60b7e83b6c9099affa9e36

    Download Submit

  • memory/900-9-0x0000000000CA0000-0x0000000000D15000-memory.dmp

    Filesize

    468KB

    Download

  • memory/900-8-0x00000000022F0000-0x00000000025F0000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/900-11-0x0000000000CA0000-0x0000000000EE8000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1048-1-0x00000000008A0000-0x0000000000A10000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1048-2-0x0000000001360000-0x00000000013D5000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1048-10-0x0000000001360000-0x00000000015A8000-memory.dmp

    Filesize

    2.3MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.