Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ab83de45d1...18.exe

windows7-x64

10

ab83de45d1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2024, 15:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab83de45d1c16a443b1ec4baa184a233_JaffaCakes118.exe

  • Size

    208KB

  • MD5

    ab83de45d1c16a443b1ec4baa184a233

  • SHA1

    78d05f2d0a3543491217be713abb945f694c4cbe

  • SHA256

    0cbab79640d1995356806068a77d58d4980ba18e21d22a775246807cf811330d

  • SHA512

    c93c338029e7ef8cb272a1891630ac238d4a4e52939420d94c2960198756d121c0048930d936926e32cfc4d9314c4d8ac498224ca339f99d6b239f16908d111f

  • SSDEEP

    3072:tChJgYMm4xf9cU9KQ2BxA59SPMpOoin2t:JYMm4xiWKQ2BiCM7

Score
10/10
discovery

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    onthelinux
  • Password:
    741852abc

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab83de45d1c16a443b1ec4baa184a233_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ab83de45d1c16a443b1ec4baa184a233_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Program Files (x86)\dab134a6\jusched.exe
      "C:\Program Files (x86)\dab134a6\jusched.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\dab134a6\dab134a6
    Filesize

    17B

    MD5

    89931a70501a3362b6823b53523f5a77

    SHA1

    88c7e199c462ed8cc3af0ba453512b5b1fdcfdb5

    SHA256

    d30d9a0e64bc9f4a306617f087f30de6d57a5413793ab7bde13a299777a1b254

    SHA512

    8fa7ab4824ae86f3f47b3718c11f79ef275dd0639396572eaeb1262ad9153ccf43c633a7b292e30c97370436a09f22fbcf817a802015650ffb1f84d2b83483bd

    Download Submit

  • \Program Files (x86)\dab134a6\jusched.exe
    Filesize

    208KB

    MD5

    0a30cb7537d691d205fb2523015dd35a

    SHA1

    53f40d70057154db1bf1aff0853f0c8933aea3cc

    SHA256

    012c035c2004da32957d6195ab27de4123f33dad51ef105703ef0b5446790d83

    SHA512

    b083d35a82bc1e11a0581aa1fec36368d20bcff3a736c090cf8b3c01dc0f78d12f02b671691a48eafb753807e043d35e6c968e4fd826dcf152fbfc3ae6fba0b1

    Download Submit