Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

8bd4cb1b51...18.exe

windows7-x64

7

8bd4cb1b51...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    29s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11/08/2024, 20:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8bd4cb1b5181c898b69b84f6adbd366f_JaffaCakes118.exe

  • Size

    8.6MB

  • MD5

    8bd4cb1b5181c898b69b84f6adbd366f

  • SHA1

    4159859c761e3677e9798793c6f142f30c7e2dcf

  • SHA256

    8c173b0c7fe55305394d9dc73dc4073541cce13e8140c7d56f6fdd5f55ac9572

  • SHA512

    f3ba9e595d7e645a4c32cfec3c2358433a98624a7aa5c1a777238c3515681b4486012e5fc79b852f8f8fc6a48c44a47924ac8efa941dc32cc1c7dae60a38bcaf

  • SSDEEP

    196608:4hkM//zXYpGyYMSjvf2JbGeNmslKJyBBEEE++CmZYOo+EEEEEEEBBBBBBmmmmmm7:4ZzXYpGyYMSjvf2JbGeNmwKgBBEEE++K

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8bd4cb1b5181c898b69b84f6adbd366f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8bd4cb1b5181c898b69b84f6adbd366f_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k C:\tuto.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\tuto.exe
        C:\tuto.exe
        3⤵
        • Executes dropped EXE
        PID:1184

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\tuto.exe
    Filesize

    14KB

    MD5

    251b9e5ea854eca172eb5a1ea480c718

    SHA1

    f2d3a641f762ebafce3fe60ba1bf764cd2a6bbec

    SHA256

    4ea747bcd91bc5fc5025b7eb4d4cbba6672a00361285550cb4ca55ad57c95337

    SHA512

    a850de833b3744d31ded0e72549b16614cea9f66a2c989505914de4600c4ffcde842a658d629e0980586cb2c424c3c946e148051a6c82f6ae987da8202d0f8bd

    Download Submit

  • memory/1184-6-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2380-0-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2380-7-0x0000000000400000-0x0000000000CAC000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2380-9-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2380-10-0x0000000000400000-0x0000000000CAC000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2380-17-0x0000000000400000-0x0000000000CAC000-memory.dmp

    Filesize

    8.7MB

    Download