Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

aa7b777afa...18.exe

windows7-x64

7

aa7b777afa...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2024, 09:32 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa7b777afa59786efa6afed0b2a90bc7_JaffaCakes118.exe

  • Size

    2.6MB

  • MD5

    aa7b777afa59786efa6afed0b2a90bc7

  • SHA1

    64aaace74242a8bd6021972c31109be55b0bd23e

  • SHA256

    4111f454e46c26efbd050f563025445c7d54d05e3a7ab8488fcbddf4816d277e

  • SHA512

    cd394a5629855b780a95589bac2ce29b1ab7ff2ba9a5bb02a8d8500a9a599979f5c92fbb66c4971b50792838e0da546170208a865abf181963d200de03cd609a

  • SSDEEP

    49152:oDy796EvMtTx435MtV+On5vMNbcwO6m2zGKYraTh+ZTOdFrxviiBI1r7:f7AEvgVOA5WbcoHzGlr8h+5q4iU

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa7b777afa59786efa6afed0b2a90bc7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\aa7b777afa59786efa6afed0b2a90bc7_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Users\Admin\AppData\Local\Temp\is-BH8A2.tmp\aa7b777afa59786efa6afed0b2a90bc7_JaffaCakes118.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-BH8A2.tmp\aa7b777afa59786efa6afed0b2a90bc7_JaffaCakes118.tmp" /SL5="$40128,2357949,153088,C:\Users\Admin\AppData\Local\Temp\aa7b777afa59786efa6afed0b2a90bc7_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2256
      • C:\Users\Admin\AppData\Local\Temp\is-6LFRJ.tmp\WMF.exe
        "C:\Users\Admin\AppData\Local\Temp\is-6LFRJ.tmp\WMF.exe" /aid=151 /sub=24 /sid=90 /name="plastics_engineering_do_r.j._crawford.httpdaddyfiledir.comsearch.php?q=plastics_engineering_do_r.j._crawford.1080bps.rar" /fid= /stats=4MfjgaseDYywNLlrmlBvrOqJEb3SsG/xk0ro4ECrhmAZFSqck1QkVotAgt//7ToA40FUk0Bm7oytE8wz9mepgg== /param=0
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2872

Network

  • flag-us
    DNS
    1.list.fullmedialibrary.com
    WMF.exe
    Remote address:
    8.8.8.8:53
    Request
    1.list.fullmedialibrary.com
    IN A
    Response
  • flag-us
    DNS
    mfapi.com
    WMF.exe
    Remote address:
    8.8.8.8:53
    Request
    mfapi.com
    IN A
    Response
    mfapi.com
    IN A
    45.56.79.23
    mfapi.com
    IN A
    96.126.123.244
    mfapi.com
    IN A
    45.33.18.44
    mfapi.com
    IN A
    45.33.23.183
    mfapi.com
    IN A
    72.14.185.43
    mfapi.com
    IN A
    45.33.20.235
    mfapi.com
    IN A
    72.14.178.174
    mfapi.com
    IN A
    45.79.19.196
    mfapi.com
    IN A
    198.58.118.167
    mfapi.com
    IN A
    45.33.2.79
    mfapi.com
    IN A
    45.33.30.197
    mfapi.com
    IN A
    173.255.194.134
  • flag-us
    GET
    http://mfapi.com/?action=log&category=MF_micro_install
    WMF.exe
    Remote address:
    45.56.79.23:80
    Request
    GET /?action=log&category=MF_micro_install 1.0.0.8&event=MicroInstaller&label=Start HTTP/1.0
    Host: mfapi.com
    Keep-Alive: 300
    Connection: keep-alive
    User-Agent: MicroInstaller
    Response
    HTTP/1.1 400 Bad request
    Content-length: 90
    Cache-Control: no-cache
    Connection: close
    Content-Type: text/html
  • 45.56.79.23:80
    http://mfapi.com/?action=log&category=MF_micro_install
    http
    WMF.exe
    504 B
     379 B
     7
    4

    HTTP Request

    GET http://mfapi.com/?action=log&category=MF_micro_install

    HTTP Response

    400
  • 8.8.8.8:53
    1.list.fullmedialibrary.com
    dns
    WMF.exe
    73 B
     146 B
     1
    1

    DNS Request

    1.list.fullmedialibrary.com

  • 8.8.8.8:53
    mfapi.com
    dns
    WMF.exe
    55 B
     247 B
     1
    1

    DNS Request

    mfapi.com

    DNS Response

    45.56.79.23
    96.126.123.244
    45.33.18.44
    45.33.23.183
    72.14.185.43
    45.33.20.235
    72.14.178.174
    45.79.19.196
    198.58.118.167
    45.33.2.79
    45.33.30.197
    173.255.194.134

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-6LFRJ.tmp\default.xml
    Filesize

    2KB

    MD5

    4c219b78a305d3e52c811542154bb224

    SHA1

    7efe3e383b29c808cfb3ad0fd90d627ea7b2b2bf

    SHA256

    a0dbdc08f771e32a5ef06f47b436afb270e860578971a974db0c34c0c1366a7c

    SHA512

    bced9584568b011c0b2013e48d6b9503f77b01c57e2049722326a40363ce42c533e590c4583cf0cf3a5391f3208db8135b5afdc27ae7359af3ded66b11e628b8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-6LFRJ.tmp\WMF.exe
    Filesize

    3.4MB

    MD5

    4c77196ae965e00a0ab6a1e3b3e4212d

    SHA1

    70e1a827223c352fabd41f659220a528b33de320

    SHA256

    394574c33ab45971acc0a4840fa163a8d9884f9ebefe6b252d400544c34d0048

    SHA512

    7889c1c1272259637f315cb64451b03b4b803d494b557d73ad97f906ef2c4831824e2355cd811d098ab7c35b81de3bf3a938ce80d442dd67b8e50d64571fda36

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-6LFRJ.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-BH8A2.tmp\aa7b777afa59786efa6afed0b2a90bc7_JaffaCakes118.tmp
    Filesize

    1.1MB

    MD5

    8811a0652c18dbcf68955f99df537eb8

    SHA1

    70cff6c43c0f873295dc085018639dff02f33012

    SHA256

    d69f51e65e3944891ec9c392b3d7410d81f8f93e55b9071584bfd1d384862230

    SHA512

    ed2ff6cfe272a8ae260233a1bb653adc0eaae13388418a9dea692b9924999d89b8677b8669fa24dcb0c606cfca7045bef779e1c58547f3f17d5096cbbe31d60a

    Download Submit

  • memory/2044-0-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2044-2-0x0000000000401000-0x0000000000417000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2044-43-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2256-8-0x0000000000400000-0x0000000000529000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2256-42-0x0000000000400000-0x0000000000529000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2872-40-0x0000000000400000-0x00000000007FF000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2872-46-0x0000000000400000-0x00000000007FF000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2872-74-0x0000000000400000-0x00000000007FF000-memory.dmp

    Filesize

    4.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.