Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

bb370ea3fd...18.exe

windows7-x64

8

bb370ea3fd...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23/08/2024, 09:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb370ea3fd978255c46f678901f07933_JaffaCakes118.exe

  • Size

    175KB

  • MD5

    bb370ea3fd978255c46f678901f07933

  • SHA1

    a2860e35b6d2aa5a38b9669b69cb66adffcd6330

  • SHA256

    9e2a733100cf0950a930b85c3846a67f18b0a51e76a61abc13c5b7597a7053a1

  • SHA512

    9cf74449d94864c17d2fe1555154f38c9607deaba74eac3f1e8cadc94d38e9a71afa576968173443a16f3309b732639e27427c6825cf7a65df2a2324e940e711

  • SSDEEP

    3072:29r7km1Sihv1hfhxefD4ODtcvGia4WExhqCeiRJhPh1egYXea:bmLhvDhgbJ4GPCV3h1

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb370ea3fd978255c46f678901f07933_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bb370ea3fd978255c46f678901f07933_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Users\Admin\AppData\Local\dplaysvr.exe
      "C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\bb370ea3fd978255c46f678901f07933_JaffaCakes118.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      PID:2160
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\A8AE.tmp
    Filesize

    75KB

    MD5

    03a57fb675ac8eac500e588c83a6186e

    SHA1

    209d8719f03ccbce0daf172835b9b85b03979f81

    SHA256

    173bb029fc97187ea38e58d4037dfb9b7804ad5de4d62b9e3c10321c4ac4aedc

    SHA512

    4b03b5ef0d5c4f7933155731f791ab6c00920883a94bb69efed498aa581fe91d8f0af64a9d2fb17db7b466818b98eaacd744eb4f941b624113c38a36592e7c22

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A8AF.tmp
    Filesize

    53KB

    MD5

    970e3284abe9de5b5a7a03062d9c63c9

    SHA1

    563cbf9569dfc6a8d33eeb5aec257ea1ce25abbd

    SHA256

    a66596e160349d90817edd42a74fa0dd3660e38a46520d4a54e7aa225cf355f2

    SHA512

    1716597fed66b66db185494d199739e6255d24c4e0ec652256f0bd49730a2a1e77081f3dd788f64dd46a559acc6dd74630a2fa58dfaa55573bbb836999318053

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    884B

    MD5

    04bcae8a7bc7c9a45bba0c385e77120a

    SHA1

    342019562da65dd0290466c6a1d00392d51b6b54

    SHA256

    954eebeea30d81be278baeb2c8bda672ced4714b5d5906e270317ce44f512c88

    SHA512

    c42f845a33a70b88f6e9b4b2e4b77f1d952108579d4db804c403394873e4967f57815021e89412030bc14c10b4b6e67a3ae46c0ea18ef6c8949a6a79c554e5c3

    Download Submit

  • memory/2160-23-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2320-4-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2320-3-0x00000000002D0000-0x00000000002FE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2320-21-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2320-24-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download