Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

a78e31f8dd...18.exe

windows7-x64

7

a78e31f8dd...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/08/2024, 17:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a78e31f8dd0f0bdfba3ac41a9aca0e74_JaffaCakes118.exe

  • Size

    749KB

  • MD5

    a78e31f8dd0f0bdfba3ac41a9aca0e74

  • SHA1

    911d6b6935186af44c5b025f5c865d1868175ba0

  • SHA256

    4de51b65f656de8832f10d888b9e00cf514623ebe047eca595a1afd94583fb13

  • SHA512

    b2c6dd309f8b9ef2f1571bdb1e90e06c91047b505deb58d505b84ad146c541ff92604ab5bc454f7ec834398d402ae7e78377c634c8bd43f1ed5f7a3f15b1af86

  • SSDEEP

    12288:7zGqvIontiXisXENKxAQkSknc9NLSCmlinPkyCrljtlESJk9v+LZJ8Ebm8qln:7zyontiXTVavSzLZJkyaZtySJk9v+Lw/

Score
7/10
discovery

Malware Config

Signatures

  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 14 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 48 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3552
      • C:\Users\Admin\AppData\Local\Temp\a78e31f8dd0f0bdfba3ac41a9aca0e74_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\a78e31f8dd0f0bdfba3ac41a9aca0e74_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2200
        • C:\Users\Admin\AppData\Local\Temp\a78e31f8dd0f0bdfba3ac41a9aca0e74_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\a78e31f8dd0f0bdfba3ac41a9aca0e74_JaffaCakes118.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3512

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\SQLPARSE.DLL
      Filesize

      116KB

      MD5

      c1894302379227a8d6627011f6be1d75

      SHA1

      3c15b0658a8a5b525745ccd687be6a38a3abd266

      SHA256

      025723f897d36b4bf39010c805acb1161b46dbd243c3b965a71082e7ef9a0d56

      SHA512

      e67823777c78f859fbafdb8a7d0e063889d8afe321b68c0c5b15cfb65e3258b6260a40e2f20ad7387d004bf32a731e1aec43d45ed0d75d1f1c47fa88cc43bd0f

      Download Submit

    • C:\Windows\SysWOW64\sqlceqp30.dll
      Filesize

      591KB

      MD5

      60236c8c3b8c2d8b9a59326890533eb8

      SHA1

      8839efae91f2c4e29fb4813981b6a93f1996beb5

      SHA256

      badf0f5023ba9d7e5d7fea762e8f01ee2d8f41f7785fa6adb9d93af1f2181f8f

      SHA512

      fe8666a83542c3834d9e8cc201f1efb02570d96d5a9194c1bd23c50d65b6e6d0a4d40b691c24cb3f99b2c5b8b3fb3c300ef83d5a255f6734e1aa65e23ad8435d

      Download Submit

    • C:\Windows\SysWOW64\wpcmig.dll
      Filesize

      15KB

      MD5

      08a05ecbf424c635a9fb2400b898ab17

      SHA1

      c815bc830f0c1757da2a2e4cccfd6499d45daa6c

      SHA256

      c3e9aa8a639343189c3b8499cf3de8950318ecce8054e49e1de10777c22b9e62

      SHA512

      c615fabbd327408774b0a99bf0b668c3d6c849c3d2ce4b8bf41c0d79e8a0392de4140a42497eedc5b3e3316908fdb9914b979146c7c73a6489a3079dd1f73a86

      Download Submit

    • C:\Windows\SysWOW64\wshirda.dll
      Filesize

      10KB

      MD5

      7fcb0f27fdf12e3d42b03a74bc3196bb

      SHA1

      9b9bf198c4cd6332d1ba98c71ba1bf817c027153

      SHA256

      e4ae7894e962037ab85054ebfcfadc91d3d7b4d69d0f1ccba0fcf443aebd6cc7

      SHA512

      729599a2ec25a4c9b64a683f6cb8f4645aee0280c34f313c4083322559ec5bb65f47cbfc7482988fd9073d100aeb361afed4cf70b7aba729ca69bcebbf7035cc

      Download Submit

    • memory/2200-27-0x0000000000400000-0x00000000004E4000-memory.dmp

      Filesize

      912KB

      Download

    • memory/2200-0-0x0000000000400000-0x00000000004E4000-memory.dmp

      Filesize

      912KB

      Download

    • memory/3512-21-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3512-24-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3512-23-0x0000000000400000-0x0000000000408960-memory.dmp

      Filesize

      34KB

      Download

    • memory/3512-25-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3512-28-0x0000000000400000-0x0000000000408960-memory.dmp

      Filesize

      34KB

      Download

    • memory/3552-29-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

      Filesize

      28KB

      Download

    • memory/3552-30-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

      Filesize

      4KB

      Download