Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

b2095f390f...18.exe

windows7-x64

10

b2095f390f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 04:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b2095f390fb0ead7da09fb99ab445217_JaffaCakes118.exe

  • Size

    72KB

  • MD5

    b2095f390fb0ead7da09fb99ab445217

  • SHA1

    d75f71239793ae14daa569b4513f123a72fc8abf

  • SHA256

    a90ac1cae52f3777a1ef48c691298efaf7a3ab55e8e6c07817815f2cb77d7d8d

  • SHA512

    7b9f729a27da7da75f9bb3d33ca1dc856fcf86199c9551fb95f1a6ad31adc2240e7f6d285ef260c8da68c4ce8966d04b8fcd59ee463507966e8fda0fd599a351

  • SSDEEP

    1536:MgIdZxAz/Z41Wq02reJj3OCA025rn8hhWpgPPOgCZxk5v:wLxAzBiWqRr+3OCAfT8hwph

Score
10/10
discoveryevasionupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 22 IoCs
    evasion
  • Executes dropped EXE 10 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 22 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs .reg file with regedit 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2095f390fb0ead7da09fb99ab445217_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b2095f390fb0ead7da09fb99ab445217_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5080
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\a.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:744
      • C:\Windows\SysWOW64\regedit.exe
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        3⤵
        • Modifies security service
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2400
    • C:\Windows\SysWOW64\qtime32.exe
      C:\Windows\system32\qtime32.exe 1148 "C:\Users\Admin\AppData\Local\Temp\b2095f390fb0ead7da09fb99ab445217_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:724
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\a.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3708
        • C:\Windows\SysWOW64\regedit.exe
          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
          4⤵
          • Modifies security service
          • System Location Discovery: System Language Discovery
          • Runs .reg file with regedit
          PID:2000
      • C:\Windows\SysWOW64\qtime32.exe
        C:\Windows\system32\qtime32.exe 1140 "C:\Windows\SysWOW64\qtime32.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4732
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c c:\a.bat
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1040
          • C:\Windows\SysWOW64\regedit.exe
            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
            5⤵
            • Modifies security service
            • System Location Discovery: System Language Discovery
            • Runs .reg file with regedit
            PID:3724
        • C:\Windows\SysWOW64\qtime32.exe
          C:\Windows\system32\qtime32.exe 1116 "C:\Windows\SysWOW64\qtime32.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3548
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c c:\a.bat
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1328
            • C:\Windows\SysWOW64\regedit.exe
              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
              6⤵
              • Modifies security service
              • System Location Discovery: System Language Discovery
              • Runs .reg file with regedit
              PID:4460
          • C:\Windows\SysWOW64\qtime32.exe
            C:\Windows\system32\qtime32.exe 1120 "C:\Windows\SysWOW64\qtime32.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4320
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c c:\a.bat
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:960
              • C:\Windows\SysWOW64\regedit.exe
                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                7⤵
                • Modifies security service
                • System Location Discovery: System Language Discovery
                • Runs .reg file with regedit
                PID:1524
            • C:\Windows\SysWOW64\qtime32.exe
              C:\Windows\system32\qtime32.exe 1112 "C:\Windows\SysWOW64\qtime32.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4060
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c c:\a.bat
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1280
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  8⤵
                  • Modifies security service
                  • System Location Discovery: System Language Discovery
                  • Runs .reg file with regedit
                  PID:228
              • C:\Windows\SysWOW64\qtime32.exe
                C:\Windows\system32\qtime32.exe 1128 "C:\Windows\SysWOW64\qtime32.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1912
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c c:\a.bat
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:3948
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    9⤵
                    • Modifies security service
                    • System Location Discovery: System Language Discovery
                    • Runs .reg file with regedit
                    PID:4768
                • C:\Windows\SysWOW64\qtime32.exe
                  C:\Windows\system32\qtime32.exe 1124 "C:\Windows\SysWOW64\qtime32.exe"
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:216
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c c:\a.bat
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:1540
                    • C:\Windows\SysWOW64\regedit.exe
                      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                      10⤵
                      • Modifies security service
                      • System Location Discovery: System Language Discovery
                      • Runs .reg file with regedit
                      PID:4132
                  • C:\Windows\SysWOW64\qtime32.exe
                    C:\Windows\system32\qtime32.exe 1136 "C:\Windows\SysWOW64\qtime32.exe"
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    PID:916
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c c:\a.bat
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:100
                      • C:\Windows\SysWOW64\regedit.exe
                        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                        11⤵
                        • Modifies security service
                        • System Location Discovery: System Language Discovery
                        • Runs .reg file with regedit
                        PID:1920
                    • C:\Windows\SysWOW64\qtime32.exe
                      C:\Windows\system32\qtime32.exe 1144 "C:\Windows\SysWOW64\qtime32.exe"
                      10⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      PID:2568
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c c:\a.bat
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4744
                        • C:\Windows\SysWOW64\regedit.exe
                          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                          12⤵
                          • Modifies security service
                          • System Location Discovery: System Language Discovery
                          • Runs .reg file with regedit
                          PID:4604
                      • C:\Windows\SysWOW64\qtime32.exe
                        C:\Windows\system32\qtime32.exe 1132 "C:\Windows\SysWOW64\qtime32.exe"
                        11⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        PID:2008
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c c:\a.bat
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2304
                          • C:\Windows\SysWOW64\regedit.exe
                            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                            13⤵
                            • Modifies security service
                            • System Location Discovery: System Language Discovery
                            • Runs .reg file with regedit
                            PID:1540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    2KB

    MD5

    61ec72543aaac5c7b336d2b22f919c07

    SHA1

    5bddb1f73b24c2113e9bf8268640f75fb0f3bd8d

    SHA256

    088881ff28ef1240847decd884be366614865bf9660f862dbffa64d504467aea

    SHA512

    e8ed6c1813218a542e0449f6bcda47b9464f2445a5d4b20e20b657d5328eb9fd5ddf859e61794a0b3d32057590ac029064c078d5743fe1a316ca8fdf254f7f62

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    3KB

    MD5

    9e5db93bd3302c217b15561d8f1e299d

    SHA1

    95a5579b336d16213909beda75589fd0a2091f30

    SHA256

    f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

    SHA512

    b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    300B

    MD5

    9e1df6d58e6c905e4628df434384b3c9

    SHA1

    e67dd641da70aa9654ed24b19ed06a3eb8c0db43

    SHA256

    25bb4f644e47b4b64b0052ec7edfd4c27f370d07ef884078fea685f30b9c1bb0

    SHA512

    93c9f24dc530e08c85776955c200be468d099d8f1d2efe5e20cbb3a1d803fe23e0ba9b589df2498832082a283d79f6f1053a26d15f49e31a0da395ecc7225ad3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    784B

    MD5

    5a466127fedf6dbcd99adc917bd74581

    SHA1

    a2e60b101c8789b59360d95a64ec07d0723c4d38

    SHA256

    8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84

    SHA512

    695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    2KB

    MD5

    0a839c0e3eb1ed25e6211159e43f4df1

    SHA1

    a227a9322f58b8f40b2f6f326dca58145f599587

    SHA256

    717a2b81d076586548a0387c97d2dc31337a03763c6e7acb642c3e46ec94d6f0

    SHA512

    bd2b99fb43ccd1676f69752c1a295d1da0db2cb0310c8b097b4b5b91d76cff12b433f47af02b5f7d0dd5f8f16624b0c20294eebf5c6a7959b2b5d6fe2b34e508

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    3KB

    MD5

    d085cde42c14e8ee2a5e8870d08aee42

    SHA1

    c8e967f1d301f97dbcf252d7e1677e590126f994

    SHA256

    a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f

    SHA512

    de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    849B

    MD5

    558ce6da965ba1758d112b22e15aa5a2

    SHA1

    a365542609e4d1dc46be62928b08612fcabe2ede

    SHA256

    c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb

    SHA512

    37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    851B

    MD5

    a13ff758fc4326eaa44582bc9700aead

    SHA1

    a4927b4a3b84526c5c42a077ade4652ab308f83f

    SHA256

    c0915178e63bf84c54e9c942b5cc80327c24d84125042767d7e1e2ef3e004588

    SHA512

    86c336086a1d0ca689e133df8e3c3ec83eeef86649dbf8b9d367c3e543358ad54f69d1a20d56c56200e294f22b2741186db0f359051159b4e670d3e9b5861842

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    989c5352030fafd44b92adf4d4164738

    SHA1

    e02985c15eb20682115e3fc343f829e28770ed6c

    SHA256

    248c7793d113ca762bbe56b974f4c5902339dacb0b47ddd7c412340a623dfe38

    SHA512

    9ebcfc38952d968d608d68b2e8fbb56f5d02ed03e0e2d02661caeb50f804404d95fc45f22a8376ca88b69548c89c22b6c6a9acbb7fdcb5f6f906bd871b3465f1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    3KB

    MD5

    5e073629d751540b3512a229a7c56baf

    SHA1

    8d384f06bf3fe00d178514990ae39fc54d4e3941

    SHA256

    2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e

    SHA512

    84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    584f47a0068747b3295751a0d591f4ee

    SHA1

    7886a90e507c56d3a6105ecdfd9ff77939afa56f

    SHA256

    927fd19c24f20ac1dff028de9d73094b2591842248c95a20a8264abf1333aea5

    SHA512

    ca945aad3c2d9ecadff2bc30cf23902b1254cffdf572ff9d4e7c94659255fc3467899053e4a45d3b155900c7b5b91abedf03d31af7e39870015c85e424d04257

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    2KB

    MD5

    fa83299c5a0d8714939977af6bdafa92

    SHA1

    46a4abab9b803a7361ab89d0ca000a367550e23c

    SHA256

    f3bb35f7fc756da2c2297a100fa29506cb12371edb793061add90ee16318bf03

    SHA512

    85e46b9f1089054e60c433459eea52bec26330f8b91879df3b48db1533a307443dd82006ac3bb86245bbd207c1d8c75c29949f755cc0dc262ede888a1d531599

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    683B

    MD5

    6fe56f6715b4c328bc5b2b35cb51c7e1

    SHA1

    8f4c2a2e2704c52fd6f01d9c58e4c7d843d69cc3

    SHA256

    0686dfa785bc9687be1a2bb42ef6c2e805a03f62b4af6c83bac7031e515189be

    SHA512

    8a19ba3f6e5678e92a6fd92a84f077e851a53a71a02622d87d5213a79f40540c7bbda17219f9349387e94edc75eb12fd2cb93e3b0abbcf9a85fc7d5e8bf3be0d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    701B

    MD5

    e427a32326a6a806e7b7b4fdbbe0ed4c

    SHA1

    b10626953332aeb7c524f2a29f47ca8b0bee38b1

    SHA256

    b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839

    SHA512

    6bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    3bd23392c6fcc866c4561388c1dc72ac

    SHA1

    c4b1462473f1d97fed434014532ea344b8fc05c1

    SHA256

    696a382790ee24d6256b3618b1431eaf14c510a12ff2585edfeae430024c7a43

    SHA512

    15b3a33bb5d5d6e6b149773ff47ade4f22271264f058ad8439403df71d6ecfaa2729ef48487f43d68b517b15efed587b368bc6c5df549983de410ec23b55adb1

    Download Submit

  • C:\Windows\SysWOW64\qtime32.exe
    Filesize

    72KB

    MD5

    b2095f390fb0ead7da09fb99ab445217

    SHA1

    d75f71239793ae14daa569b4513f123a72fc8abf

    SHA256

    a90ac1cae52f3777a1ef48c691298efaf7a3ab55e8e6c07817815f2cb77d7d8d

    SHA512

    7b9f729a27da7da75f9bb3d33ca1dc856fcf86199c9551fb95f1a6ad31adc2240e7f6d285ef260c8da68c4ce8966d04b8fcd59ee463507966e8fda0fd599a351

    Download Submit

  • \??\c:\a.bat
    Filesize

    5KB

    MD5

    0019a0451cc6b9659762c3e274bc04fb

    SHA1

    5259e256cc0908f2846e532161b989f1295f479b

    SHA256

    ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

    SHA512

    314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

    Download Submit

  • memory/216-800-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/724-229-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/916-914-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1912-687-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2008-1140-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2568-1027-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3548-348-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4060-574-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4320-461-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4732-343-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5080-0-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5080-228-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download