Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

a700f3fa0a...18.exe

windows7-x64

6

a700f3fa0a...18.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/08/2024, 14:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a700f3fa0a5022c8f6e7e8dee63f7980_JaffaCakes118.exe

  • Size

    136KB

  • MD5

    a700f3fa0a5022c8f6e7e8dee63f7980

  • SHA1

    9b7bb5746970f6c19b431c848fdd3412f70d9391

  • SHA256

    90faf09201883b1c21cd12ee971565d74b56a0485d9e8130666dc51d40ee718f

  • SHA512

    e51633b9fec76019134ccc8dc8f57928b5659a61c86079f2096ef0361b61961f35f4e6bedd205b6a3478996e67860e4abb50fee8c7edfb9c5df68ad777541ee2

  • SSDEEP

    3072:h/B/FFRm6XZtztFaSy3kJzXMF8i8I4SE1bMppw1lXOPXsInXVb:h/LmxUZsDPZE1Mppw1lXOPXsInl

Score
6/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a700f3fa0a5022c8f6e7e8dee63f7980_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a700f3fa0a5022c8f6e7e8dee63f7980_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:400
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c netsh dump > C:/WINDOWS/lala.txt
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Windows\SysWOW64\netsh.exe
        netsh dump
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:3192
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c netsh exec C:/WINDOWS/lala2.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Windows\SysWOW64\netsh.exe
        netsh exec C:/WINDOWS/lala2.txt
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\lala.txt
    Filesize

    7KB

    MD5

    da80a7d8cfb8dfe26818c5d5aa3009f1

    SHA1

    fd4088d23f67283cc89c07f199008ae5125aabe1

    SHA256

    993623c6d922453de06601cafc358f16d99d3ef4ae331f8217006d820a395f99

    SHA512

    5999bf754ab5fa20d131d58bc55489ab3b93939fbaf47eb25da8eef2636ee5890608ee3837e44584e1d42f97d1d99f66c8c05edc74a267349cb0d55bd85d758c

    Download Submit

  • C:\WINDOWS\lala2.txt
    Filesize

    7KB

    MD5

    0530be8f144af093ece510858898c335

    SHA1

    98bbcc6621148f9195e2e4b2f13c7aab92abfb82

    SHA256

    ee8ea3b33216356e08a2fd35da3ec81320b9cfff1bef6393cd6c4addcab5e565

    SHA512

    425ff4033a05cda35ecca451f9caf6d38a36567258c6280dec39c352880be41581be0a24aaf6ac9dcaf32288aa69fce344c78eb9a41cbb6ccfc24c807dd6d4df

    Download Submit