Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

b45df5fcad...18.exe

windows7-x64

7

b45df5fcad...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b45df5fcad70271accea4765fae44023_JaffaCakes118.exe

  • Size

    459KB

  • MD5

    b45df5fcad70271accea4765fae44023

  • SHA1

    c27459c9f8f0c93c07c372f3a27462265c15ed51

  • SHA256

    ee2886a41b40ff49ff95da87b336a2b4141ef52ca94c202b77ae00a806da041c

  • SHA512

    869a3073c013b751a0037c454d8078a8f5c3238d2a0df0175ae9308d745a07e3b59783504c1c7c784f2bf53812e88a24a527e575106f1fa57fa823128bce3e0e

  • SSDEEP

    12288:5ZGaHrMFg9mZ9Tyv9RhkboZD+bs1ZzqxxxFcN8zgHa8Mexup6O:LGaLMFg0Z9TDSMxrhzAZJ

Score
7/10
discoverypersistenceupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b45df5fcad70271accea4765fae44023_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b45df5fcad70271accea4765fae44023_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3536
    • C:\ProgramData\eH28218DmKhC28218\eH28218DmKhC28218.exe
      "C:\ProgramData\eH28218DmKhC28218\eH28218DmKhC28218.exe" "C:\Users\Admin\AppData\Local\Temp\b45df5fcad70271accea4765fae44023_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\eH28218DmKhC28218\eH28218DmKhC28218
    Filesize

    192B

    MD5

    baa781f0d43ca298a260a7907fca2496

    SHA1

    997df68d5ed43c4959fb86f4adab32bcf8d2e675

    SHA256

    6f52981887cf95f936de2d006c6a701ff80eb11fc7bf83d1facbf11f610ecb8e

    SHA512

    8964272324b09de9bea913edd9cf31653af4c587539561024127e1f8c6504b2d8f315d64c8378f53307d3e80aa8b981205c14d22292d5f28c6bbcc65c140ed9d

    Download Submit

  • C:\ProgramData\eH28218DmKhC28218\eH28218DmKhC28218.exe
    Filesize

    459KB

    MD5

    0ba7dd54928d23c82f717899b0ecd96d

    SHA1

    a7a66e2125022622baf7b30991885db27fdcfcde

    SHA256

    26c524de2a406377d00365e5db5c921d12a15afd8033ac0bf77deecf5c04d76d

    SHA512

    2979ff535384096c1ca58254497e577a8363d58120a89c2dd16cd4cd14bceaa6a31a1da8031ada2ee8db757ceac489c7c994bdda07c81663606133c04daba982

    Download Submit

  • memory/3536-2-0x0000000000400000-0x00000000004C1000-memory.dmp

    Filesize

    772KB

    Download

  • memory/3536-1-0x0000000000400000-0x00000000004BF000-memory.dmp

    Filesize

    764KB

    Download

  • memory/3536-14-0x0000000000400000-0x00000000004C1000-memory.dmp

    Filesize

    772KB

    Download

  • memory/3536-15-0x0000000000400000-0x00000000004BF000-memory.dmp

    Filesize

    764KB

    Download

  • memory/4592-18-0x0000000000400000-0x00000000004C1000-memory.dmp

    Filesize

    772KB

    Download

  • memory/4592-17-0x0000000000400000-0x00000000004C1000-memory.dmp

    Filesize

    772KB

    Download

  • memory/4592-26-0x0000000000400000-0x00000000004C1000-memory.dmp

    Filesize

    772KB

    Download

  • memory/4592-34-0x0000000000400000-0x00000000004C1000-memory.dmp

    Filesize

    772KB

    Download