Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

b06eed81f8...18.exe

windows7-x64

7

b06eed81f8...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20/08/2024, 18:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe

  • Size

    348KB

  • MD5

    b06eed81f84cb14877870a084249dd7c

  • SHA1

    c1899cd96b5cb62a3245ffd8f1a7e2583af044c7

  • SHA256

    4f5113291c089577e0e55ed1f5bccfc8844cb0d52e3193d8620ae0c6ceecbcbe

  • SHA512

    b0bdc4c35849b954073fc95f722d9f9fcdeda6064763c7946c5e15e9a318823303f9196767ff022d2a810125cf39fa28f2887fa8c3fd248b17e22bdcf2527de3

  • SSDEEP

    6144:jlt0FBuElqMfzP+qVoEw8vApAWjg/qQYdpsh8I1lfJCpN53KhpKVH/5B2BLyOSMK:xKaExfr+qVrwYApTgXYw88fwupqfM+

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Windows\Svghost.exe
      C:\Windows\Svghost.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Windows\SysWOW64\notepad.exe
        "C:\Windows\system32\notepad.exe"
        3⤵
          PID:2736
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 300
          3⤵
          • Program crash
          PID:2836
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Windows\Delet.bat
        2⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2700

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Delet.bat
      Filesize

      212B

      MD5

      8c844080436bf4513b773e434d067278

      SHA1

      371fcefe7b168ae2666992276fa413b0d6068c0e

      SHA256

      ea4df1a75c60896077884a21389a6757af9bcf963cf0ccfee6f68f513d348a8c

      SHA512

      22eb8009dc761a94d64a79bc43d9f675ab0c4d864884823bc51fb913ec1e2e33f708d6864556e272fb227065ab355f1e8d230969b3cd1723254bdd5575c664db

      Download Submit

    • C:\Windows\Svghost.exe
      Filesize

      348KB

      MD5

      b06eed81f84cb14877870a084249dd7c

      SHA1

      c1899cd96b5cb62a3245ffd8f1a7e2583af044c7

      SHA256

      4f5113291c089577e0e55ed1f5bccfc8844cb0d52e3193d8620ae0c6ceecbcbe

      SHA512

      b0bdc4c35849b954073fc95f722d9f9fcdeda6064763c7946c5e15e9a318823303f9196767ff022d2a810125cf39fa28f2887fa8c3fd248b17e22bdcf2527de3

      Download Submit

    • memory/2212-8-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2212-21-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2212-20-0x0000000000400000-0x0000000000507000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2452-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2452-18-0x00000000003C0000-0x00000000003C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2452-19-0x0000000000400000-0x0000000000507000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2452-33-0x0000000000400000-0x0000000000507000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2736-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2736-16-0x0000000000400000-0x0000000000507000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2736-14-0x0000000000400000-0x0000000000507000-memory.dmp

      Filesize

      1.0MB

      Download