Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

8cf2650520...18.exe

windows7-x64

8

8cf2650520...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    139s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/08/2024, 02:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe

  • Size

    115KB

  • MD5

    8cf26505203d553b12a389b745cc56b1

  • SHA1

    86d99689b024fa5e00011488730322f8f33fab22

  • SHA256

    5e38850c7d084959ee0d62fa802a9c3fd567d7c5229beb7dc6a7eb76e33bd34a

  • SHA512

    48da22bd849cf34e3bb1b048bc7b096a781cb39b5fe0ed8234117f234e06d3d54215e3675591c2278ddf36380e494cffaa68edbf32b5d646241d1b7f82ad9b41

  • SSDEEP

    1536:KUthJ4DCIiGIgT3DPdk9ypoSQnUJsBhNLw82aDBFtVltvHC8Yyx:KUtLFlgfPdk9ypHJqBhN0kDBFtpi8

Score
8/10
defense_evasiondiscoveryexploit

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
    defense_evasion
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
      PID:808
    • C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe"
      1⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4976
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~e5785ba.tmp ,C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe
        2⤵
        • Deletes itself
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2940
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f "C:\Windows\system32\rpcss.dll"
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3188
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          PID:5032

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\~~e5785ba.tmp
      Filesize

      1.1MB

      MD5

      3b009b7fe9e96fb76d26425c8f6b8a59

      SHA1

      dd6e7ea240b7aaee747ed8b48509a64744aea995

      SHA256

      073a122a22ba82652c700acdf1ef60593e5d69c068ae221b392e060b7f7235be

      SHA512

      f4e12d3734d6510029af2322ae5e7ce057dd77d2786052cc7743d7d72d6fbe9095093eb5050e891354c2b9bf7fc2b2e348627257c3ad7d0e9f189dcd762220ab

      Download Submit

    • C:\Windows\SysWOW64\apa.dll
      Filesize

      225B

      MD5

      b37a723a56cd2aea6b461c2c1ae482ff

      SHA1

      51fb42b1da9a0d8a71465ac9f3044ede9ea8c8d6

      SHA256

      740ccc3c65beaab40dc4ea85096a42a3afd09d5fb94261d6ca49434e848b3247

      SHA512

      47d713021919d7b8f56954d20e238d81de006a135dc0b8f9c507445dcc791b0b16041436998d46b2abb0d285ccbde69768c14eadb0dfd8621a4011f0e1aa5e53

      Download Submit