Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

a317c563f8...18.exe

windows7-x64

7

a317c563f8...18.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    142s
  • max time network
    95s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    17/08/2024, 15:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a317c563f808f32548c916c0393b1521_JaffaCakes118.exe

  • Size

    743KB

  • MD5

    a317c563f808f32548c916c0393b1521

  • SHA1

    a8a2ba9292e7b016acf69eb958ae9df17a57a95b

  • SHA256

    ec5af709ccfd77c32a4f581266bed797a13564e79cd18e193b79302ff173d213

  • SHA512

    9745b11e4fb932633bf129a06729845c128cd7410c84b2c1a8cab1fede04ea785838e858b2e1d1d27ccec6471fcded0509f3a139a45da13b15d2dbed05b4aa31

  • SSDEEP

    12288:tRn8S++U4u/n/80dW5A0zyo6JwQ5oAlK+GPHvZJIk6bQQ52LYRg08yPwDRYQ:X8MU4ufxdW5A2mJr/kNHv/Ik633Y

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a317c563f808f32548c916c0393b1521_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a317c563f808f32548c916c0393b1521_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\61642520.BAT
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2152
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      2⤵
        PID:2196

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\61642520.BAT
      Filesize

      218B

      MD5

      aeec2f0044fbcdc32fd3295cce721c54

      SHA1

      418f6abf866b7915c7983d31a1a9a21bd4867733

      SHA256

      073cef2737bc13f97f9be7f257abf45105e5a7f5be5869650b814ae5aabe0730

      SHA512

      ba1f055fc36b8f4de08e6069dd3073be34372564bec0f480aca263cff3e6f0c34b0341cf947990056b32e26d82085c1ac068d9c5b41b8d46a5a8522badf28bae

      Download Submit

    • C:\Windows\svchost.exe
      Filesize

      743KB

      MD5

      a317c563f808f32548c916c0393b1521

      SHA1

      a8a2ba9292e7b016acf69eb958ae9df17a57a95b

      SHA256

      ec5af709ccfd77c32a4f581266bed797a13564e79cd18e193b79302ff173d213

      SHA512

      9745b11e4fb932633bf129a06729845c128cd7410c84b2c1a8cab1fede04ea785838e858b2e1d1d27ccec6471fcded0509f3a139a45da13b15d2dbed05b4aa31

      Download Submit

    • memory/2520-4-0x0000000000250000-0x0000000000251000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2520-15-0x0000000000400000-0x00000000004C2000-memory.dmp

      Filesize

      776KB

      Download

    • memory/2520-16-0x0000000000250000-0x0000000000251000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2520-20-0x0000000000400000-0x00000000004C2000-memory.dmp

      Filesize

      776KB

      Download

    • memory/3008-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3008-13-0x0000000000400000-0x00000000004C2000-memory.dmp

      Filesize

      776KB

      Download