Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

b9feb16b17...18.exe

windows7-x64

8

b9feb16b17...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23/08/2024, 02:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9feb16b174259bbdc3be7dabf880df1_JaffaCakes118.exe

  • Size

    37KB

  • MD5

    b9feb16b174259bbdc3be7dabf880df1

  • SHA1

    c7f89c2b82eb856487c8b5e01a8a17bd86038f9f

  • SHA256

    93415a654d7490707f270c3f0ecc4574b7d29d4c54e57ae2b9046db205c6ea1e

  • SHA512

    927e4424b7a6a99756bccd5386d7f04c9ea0b12b6034a18b29653f104a20c5b535851abd02c6316bd6439139287fe904e002dc16b87d3590715d3f5da704234f

  • SSDEEP

    768:fBe63Mih/hgq+EcYmroNDFIqaQYgxqsKqWG+/VDg:xMCcUmrQnR3hYV

Score
8/10
discovery

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9feb16b174259bbdc3be7dabf880df1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b9feb16b174259bbdc3be7dabf880df1_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\SysWOW64\SiZhu.exe
      C:\Windows\system32\SiZhu.exe SiZhu
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\~SiGou.bat
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2980

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~SiGou.bat
    Filesize

    130B

    MD5

    05f52e759c787bfbf843ba36ccf734a2

    SHA1

    2d81a279dd24a320a62d184fec747ca5f70570ee

    SHA256

    4c9b671f2169b55c0265974d2d618e9e03060a0664da88c05ea580be9eb2a7a9

    SHA512

    efcbce3fbcb8a0e22d4b41bfcf7afe73e5dd1bf4ceded4892fdd060e993dcf7c3930c989b6eb4fe1b690ced1f70a0e9ef75dfe6b5e2a61f9be14ef9169c6d172

    Download Submit

  • \Windows\SysWOW64\SiZhu.exe
    Filesize

    37KB

    MD5

    b9feb16b174259bbdc3be7dabf880df1

    SHA1

    c7f89c2b82eb856487c8b5e01a8a17bd86038f9f

    SHA256

    93415a654d7490707f270c3f0ecc4574b7d29d4c54e57ae2b9046db205c6ea1e

    SHA512

    927e4424b7a6a99756bccd5386d7f04c9ea0b12b6034a18b29653f104a20c5b535851abd02c6316bd6439139287fe904e002dc16b87d3590715d3f5da704234f

    Download Submit

  • memory/2520-29-0x0000000000400000-0x0000000000425554-memory.dmp

    Filesize

    149KB

    Download

  • memory/2520-2-0x0000000000401000-0x000000000041C000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2520-8-0x00000000004B0000-0x00000000004D6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2520-1-0x0000000000400000-0x0000000000425554-memory.dmp

    Filesize

    149KB

    Download

  • memory/2520-0-0x0000000000400000-0x0000000000425554-memory.dmp

    Filesize

    149KB

    Download

  • memory/2520-30-0x0000000000401000-0x000000000041C000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2520-31-0x0000000000400000-0x0000000000425554-memory.dmp

    Filesize

    149KB

    Download

  • memory/2520-32-0x0000000000401000-0x000000000041C000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2892-16-0x0000000000400000-0x0000000000425554-memory.dmp

    Filesize

    149KB

    Download

  • memory/2892-17-0x0000000000400000-0x0000000000425554-memory.dmp

    Filesize

    149KB

    Download

  • memory/2892-28-0x0000000000400000-0x0000000000425554-memory.dmp

    Filesize

    149KB

    Download