Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

a700f3fa0a...18.exe

windows7-x64

6

a700f3fa0a...18.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18/08/2024, 14:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a700f3fa0a5022c8f6e7e8dee63f7980_JaffaCakes118.exe

  • Size

    136KB

  • MD5

    a700f3fa0a5022c8f6e7e8dee63f7980

  • SHA1

    9b7bb5746970f6c19b431c848fdd3412f70d9391

  • SHA256

    90faf09201883b1c21cd12ee971565d74b56a0485d9e8130666dc51d40ee718f

  • SHA512

    e51633b9fec76019134ccc8dc8f57928b5659a61c86079f2096ef0361b61961f35f4e6bedd205b6a3478996e67860e4abb50fee8c7edfb9c5df68ad777541ee2

  • SSDEEP

    3072:h/B/FFRm6XZtztFaSy3kJzXMF8i8I4SE1bMppw1lXOPXsInXVb:h/LmxUZsDPZE1Mppw1lXOPXsInl

Score
6/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a700f3fa0a5022c8f6e7e8dee63f7980_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a700f3fa0a5022c8f6e7e8dee63f7980_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c netsh dump > C:/WINDOWS/lala.txt
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\SysWOW64\netsh.exe
        netsh dump
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1064
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c netsh exec C:/WINDOWS/lala2.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\SysWOW64\netsh.exe
        netsh exec C:/WINDOWS/lala2.txt
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\lala.txt
    Filesize

    7KB

    MD5

    dfe4f6b192a47c468a6dc3aff4d95691

    SHA1

    0eaaed79b8ea2c6946d739fabbe32e99ccd13076

    SHA256

    3177a401de08418239baad1c9fdcf3d6539c76c63f3b8e434be41cdcb1864e60

    SHA512

    b2c8cdf7310c681e8133da83e96a150c8dc14ac80a6d6bde6d898a2edfba0da96d8a2c5bc032224d780b6001de686c1491fa107668dcea67e1b9d860c7903b2d

    Download Submit

  • C:\WINDOWS\lala2.txt
    Filesize

    7KB

    MD5

    de5028745569d8d1916152524614a229

    SHA1

    0539eca1c005061f0c0a40021e83852fac73632a

    SHA256

    6573e66f33bfbab8003c7868aba2b66a29d9c8ed4cba0a60b7112a92a8f2d0fa

    SHA512

    1803d606a805bbdc63a6b98cbd978287e663e253b034b4a1ae08cb2391540b49d958af78310b937ba43f7aae97ed674e12365e6211426b9ca7d234ba5391fe08

    Download Submit