Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

b3d90803a6...18.exe

windows7-x64

10

b3d90803a6...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 14:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe

  • Size

    64KB

  • MD5

    b3d90803a6fd19e269464a8cd4c20a45

  • SHA1

    4d3cb719a60e6a04ed41df5763b13892f8e52411

  • SHA256

    3556edcc85a505d1418e3bfaa462ca1e15a60a090b8378fd682f02795ebf6c4b

  • SHA512

    c5dcfd3fad1ca55f469ac6984256b8ed2c258453b44d670448fc3535d61d89725de04a5eaa4c65a467f0792b87fcf419591379ca35112cb882609d73a8489511

  • SSDEEP

    1536:CjeITyz4z8SA/vn8bTSG01HDriL78TJ/HkAgLG3yc9/Kwgi5qWCv:WTB8SAHMT5Q6YTtH4LqhyXig9

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 6 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\regedit.exe"
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Runs regedit.exe
      PID:2824
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Program Files (x86)\TTPlayer\TTPAdvCtrl.dll",DllPreTranslateMessage
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2688
    • C:\Windows\SysWOW64\calc.exe
      "C:\Windows\system32\calc.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Program Files (x86)\TTPlayer\TTPAdvCtrl.dll
    Filesize

    56KB

    MD5

    8b9bb2f1d608260192921f35201880d1

    SHA1

    1c3d26f4458f4edda01c9bd6a8cac195d73a74e1

    SHA256

    db8d4005083934173820c1389a9d9530d198a64af1d432fba0719a5b2684decc

    SHA512

    092ed54fc2cb341ba8740df77d9bf5fe3639f1bf26a1513093647e1783c707a9531f261779ef921cb2dc29f20d625904051861cdf97bf05da21dd59c3184c5cf

    Download Submit

  • memory/2708-7-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2732-1-0x0000000000020000-0x0000000000027000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2824-3-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-2-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download