Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

95e76c242e...18.exe

windows7-x64

10

95e76c242e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/08/2024, 11:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95e76c242eadbaf1d75503d46482c8ca_JaffaCakes118.exe

  • Size

    89KB

  • MD5

    95e76c242eadbaf1d75503d46482c8ca

  • SHA1

    d85e6e881ef477ea6111c85d80a5e2af8986cbbd

  • SHA256

    6b58e0a021bf4e2ab87aec4e40b3415ee313d7d1d24be6d413334ec6f4ff0c26

  • SHA512

    1bbd5cd879f2db2cd8414035996f04327e931ca65e0b127de0c553e2c0a25aacb3041eaac2a6103592d8a9d3c0744bd00283c75af765e274f92b620cffabe9ad

  • SSDEEP

    768:MrFPx8ceViHNaZyiJHFlnjSSO3c1boD9d9rA49U6n1hPLJ890GMkJ5z9o6je4K6m:MByKNaZXWYEi4K6nPMbLRoMe4KBd

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95e76c242eadbaf1d75503d46482c8ca_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\95e76c242eadbaf1d75503d46482c8ca_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\ProgramData\DownloadSave\geolvok.exe
      "C:\ProgramData\DownloadSave\geolvok.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3908
      • C:\ProgramData\DownloadSave\ geolvok.exe
        "C:\ProgramData\DownloadSave\ geolvok.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\DownloadSave\RecordPath
    Filesize

    260B

    MD5

    afa19469d1bc271f1409fc50d3559ad6

    SHA1

    234bcf5b96b1099018f3d182b99045440ef5275f

    SHA256

    051c9b48e10495090a510f0047693f5341752ba7cf3b84423da9629fd10aa4d2

    SHA512

    5eb6064888abcaf48c448b98393c914f75ed13f249cc03e2df867c1266972b965343278974f7ae6087ea493ae974bf47d0171cc92cf2abdb8d46e10ecda53d4c

    Download Submit

  • C:\ProgramData\DownloadSave\geolvok.exe
    Filesize

    89KB

    MD5

    95e76c242eadbaf1d75503d46482c8ca

    SHA1

    d85e6e881ef477ea6111c85d80a5e2af8986cbbd

    SHA256

    6b58e0a021bf4e2ab87aec4e40b3415ee313d7d1d24be6d413334ec6f4ff0c26

    SHA512

    1bbd5cd879f2db2cd8414035996f04327e931ca65e0b127de0c553e2c0a25aacb3041eaac2a6103592d8a9d3c0744bd00283c75af765e274f92b620cffabe9ad

    Download Submit