Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

b366059a33...18.exe

windows7-x64

8

b366059a33...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 12:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe

  • Size

    122KB

  • MD5

    b366059a33151ceeaa20981f73a60b99

  • SHA1

    94c847040c554b0e1a1c941c39a6f68b03398be6

  • SHA256

    77ae9a306194983c12c7870e6e6e9853f5ee20f4a496d7dd83404d461441593f

  • SHA512

    8f3d79eccff8bcb08f8b72fb2ca76caaa80ea3e68008f3d1b02a14b634ef36828d74ae60436767c291b29a2ba646622c9f725b95dd41fc743ad5312277f6bf65

  • SSDEEP

    3072:iNVhsaFx+PuoStCyf9pzESyjX3NiNgSrgL4:iFFFx+uBbEfNC

Score
8/10
defense_evasiondiscoverypersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\SysWOW64\inf\svchoct.exe
      "C:\Windows\system32\inf\svchoct.exe" C:\Windows\wftadfi16_081216a.dll d16tan
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4564
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\mylbs3tecj.bat"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:264
        • C:\Windows\system\sgcxcxxaspf081216.exe
          "C:\Windows\system\sgcxcxxaspf081216.exe" i
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1016
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4344
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4344 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4576
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Windows\SysWOW64\inf\svchoct.exe
    Filesize

    60KB

    MD5

    889b99c52a60dd49227c5e485a016679

    SHA1

    8fa889e456aa646a4d0a4349977430ce5fa5e2d7

    SHA256

    6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

    SHA512

    08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

    Download Submit

  • C:\Windows\System\sgcxcxxaspf081216.exe
    Filesize

    122KB

    MD5

    b366059a33151ceeaa20981f73a60b99

    SHA1

    94c847040c554b0e1a1c941c39a6f68b03398be6

    SHA256

    77ae9a306194983c12c7870e6e6e9853f5ee20f4a496d7dd83404d461441593f

    SHA512

    8f3d79eccff8bcb08f8b72fb2ca76caaa80ea3e68008f3d1b02a14b634ef36828d74ae60436767c291b29a2ba646622c9f725b95dd41fc743ad5312277f6bf65

    Download Submit

  • C:\Windows\dcbdcatys32_081216a.dll
    Filesize

    235KB

    MD5

    e70d485334595eed1dbbff5e23904392

    SHA1

    bd248aaa7a601f59e1aa88fad28bfc9581eeea60

    SHA256

    ec0a821c29cf750e8c575e0663f12844fd975ba03e6206f36005d06feb370e37

    SHA512

    368c20df757da2c3d5e86764b23b3f5247edff5ba41cb6d0fa074cb7e9f75c3f663513341bee5ae1210f2e00a53774515abb17f35f8ad9dc5e2adb29e3ff3427

    Download Submit

  • C:\Windows\tawisys.ini
    Filesize

    495B

    MD5

    a469dfa8aad24ec465d45549f66cb517

    SHA1

    7a84da7e70cf071fee1965f8ff4517f9c2d00811

    SHA256

    df3e83b2aa7509ce688ad291e54d56bc5c94581f37bab4fa47ed5b5b79d9e371

    SHA512

    46c292b423c3c18dda5c944eb10b80e1d84a656e49bcf1b65397109902dbdc43c2622bd537c3179ffe8c68038140b79757b824b6575b2f60a7786c64b9baed1b

    Download Submit

  • C:\Windows\tawisys.ini
    Filesize

    384B

    MD5

    60144f9957c744a3091dfe5711356c41

    SHA1

    4ff6aa54262181943f058994d7ecdd877d5dd6f0

    SHA256

    1f3ac3e66f553ef63f0e3b435ff2fd25eedd1c4ca1f1fdbae3afa3ee4df4d32a

    SHA512

    f33b3d8c98d09e21c0dbb2f19f46bac22ed702b95724b504438e1dc53d2a6daeeddb5f44f244e32416c6879917306c84d8de93b15de66a393c0f1cacb27fb7ed

    Download Submit

  • C:\Windows\tawisys.ini
    Filesize

    435B

    MD5

    ed48f4e31d5915418848a244c17df51f

    SHA1

    7cc14cedd512678f7ea0bda2011182cf6e192117

    SHA256

    434731b19866109f35df23b3fd911044b3d619ae9bd708487fbde4da14d6fa77

    SHA512

    ef8eeea1efe391fd40886362a4afc282569ffdfa59f2206902619d403c6a324110fcfa6e20a0e8fdd7180e312d267f26fe40ad6b1dade5d77f887c6ea71064e1

    Download Submit

  • C:\Windows\tawisys.ini
    Filesize

    133B

    MD5

    3615566320d0a5a4aaebccce5941bb90

    SHA1

    edd663085843b061ddf776c52c4574ce7926c38e

    SHA256

    9187ffc535f88e3603f7df2f244db8b517ef1c59a1989c530c0ef3a669d94400

    SHA512

    75b550d6246bb9fc34fe61881cfb125eb1718463a47404063099da3399117b4cca2259d701a1577a1899bef70884388f163cae33d6c250cd29d1e96347ea81f4

    Download Submit

  • C:\Windows\wftadfi16_081216a.dll
    Filesize

    36KB

    MD5

    f6d0683ce359019f62c4f86d3e809f95

    SHA1

    0a23390baf8e9c0337417f850ef1c50c94710dfe

    SHA256

    13e26e0799cd41c73f2b310b719a9ae31249bb9f4c81d168e6805c5474accb75

    SHA512

    275e17f1799046c40d3418a70bba2cf1cc8fde1a76877a841774d54c13f08a0205b9da1fb42ac1483ed7fa155fdb7dcc4f5fd12cdcff63e1dff3418882e48605

    Download Submit

  • \??\c:\mylbs3tecj.bat
    Filesize

    53B

    MD5

    59175b518c85db49beb6d374527aed45

    SHA1

    9a5a37af64efa8f8ee82005f7821df881e69fe9d

    SHA256

    8dc2e4114cc3e5be496a94cdeb5b12d0ea422fe3ae45e938337c3434adf85c32

    SHA512

    e8f9cc7a13bd9ca8ae6c3fc7858c837dc64f52566aa38839593586b5cd7b810a5f52ff248d0baa83671cdb8dfd40344d41d5061de6ae40ce8b76d0dc65d43ee4

    Download Submit

  • memory/1016-90-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1016-74-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1936-57-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1936-0-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4564-67-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4564-115-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download