Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

b82d1cff5a...18.exe

windows7-x64

7

b82d1cff5a...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22/08/2024, 15:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe

  • Size

    383KB

  • MD5

    b82d1cff5aa85ebd804d927d80497198

  • SHA1

    fbedddc09a4289f7e71234a34994523d19dee6c5

  • SHA256

    bf6701b1b532beb1c319bad6e58060546a0d3a5ec3e37e614d1044783337199c

  • SHA512

    44f757b8b352f39bcc1b72f324a15a0e823f1f6d77554a9060a05e3bdc8824452a1cc38e099fd2b73132bcd4264c04117be5f27ec85e271ad6ed69e1d788864a

  • SSDEEP

    6144:oo/MZP+H/3L56PEUzduvxw3gy8nQ7I2ToIk4ou1zCIufyRd1mJJ4HdRpyjsZ8Bz7:pE2HDGUvnu4You1nLRrY27pp

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\wninstal.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2980
  • C:\Windows\ddgop.exe
    C:\Windows\ddgop.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      2⤵
        PID:2056

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\ddgop.exe
      Filesize

      383KB

      MD5

      b82d1cff5aa85ebd804d927d80497198

      SHA1

      fbedddc09a4289f7e71234a34994523d19dee6c5

      SHA256

      bf6701b1b532beb1c319bad6e58060546a0d3a5ec3e37e614d1044783337199c

      SHA512

      44f757b8b352f39bcc1b72f324a15a0e823f1f6d77554a9060a05e3bdc8824452a1cc38e099fd2b73132bcd4264c04117be5f27ec85e271ad6ed69e1d788864a

      Download Submit

    • C:\Windows\wninstal.bat
      Filesize

      218B

      MD5

      343b12223d2e03162a5334cce0a79d43

      SHA1

      f6c83adf3109dad858627b885b10bdea3822cdd1

      SHA256

      02af40c65ae92b280154b63e719af157aa27e475ddac5d9c66e912c49d6ce39c

      SHA512

      ac47008f9caa4f1d0cda934c6a6014e5a0054d215d32107980e6b1d2d583d26ce6031a051b61e31959d90af0533036a98724016ed6b10a2e66bd921c39ce7be5

      Download Submit

    • memory/3032-0-0x0000000000290000-0x0000000000291000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3032-13-0x0000000000400000-0x00000000004CA200-memory.dmp

      Filesize

      808KB

      Download

    • memory/3040-4-0x00000000004D0000-0x00000000004D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3040-15-0x0000000000400000-0x00000000004CA200-memory.dmp

      Filesize

      808KB

      Download