Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

bc0ee3e54b...18.exe

windows7-x64

8

bc0ee3e54b...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/08/2024, 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe

  • Size

    76KB

  • MD5

    bc0ee3e54b30159aba15019a51197300

  • SHA1

    b02627317e03b6c669922fccc42ff4eb9da95d1a

  • SHA256

    02358ba4720c5de7691c9fb71e0cfa437f1c1bc0e856d9a207de563bb6b62b8a

  • SHA512

    20b4d6ca2284a52b6198a4ae0699756599503aa41a079de4df4838882dd148b106a78de660e120abf0e586f18be437d32e0084be89dc4c6033450ad75d5bb798

  • SSDEEP

    1536:yy6h6NL247EJlU5IB99muEO40sW9qazlShlq4Se:2hU24uWCB99muEh0sW9nYjq4D

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 45 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:212
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\system32\mywcc080721.dll bgdll
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3332
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\downf.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3628
        • C:\Windows\SysWOW64\myccdd080721a.exe
          "C:\Windows\system32\myccdd080721a.exe" i
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4640
          • C:\program files\internet explorer\iexplore.exe
            "C:\program files\internet explorer\iexplore.exe"
            5⤵
              PID:1048
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c "c:\nmDelm.bat"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2436
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4696
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1936
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3316
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4316
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1556
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3540
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3772
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1776
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4820
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2880
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4036
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3096
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4652
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3808
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:224
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4948
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3020
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1436
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:916
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2456
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4152
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1568
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3108
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:796
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3296
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4536
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1388
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2852
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3228
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4220
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3604
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4172
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1528
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1680
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:5072
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3792
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3876
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2364
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4956
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:864
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3344
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4492
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4144
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:408
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\nmDelm.bat"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5072
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          3⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1372

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\myccdd080721a.exe
      Filesize

      76KB

      MD5

      bc0ee3e54b30159aba15019a51197300

      SHA1

      b02627317e03b6c669922fccc42ff4eb9da95d1a

      SHA256

      02358ba4720c5de7691c9fb71e0cfa437f1c1bc0e856d9a207de563bb6b62b8a

      SHA512

      20b4d6ca2284a52b6198a4ae0699756599503aa41a079de4df4838882dd148b106a78de660e120abf0e586f18be437d32e0084be89dc4c6033450ad75d5bb798

      Download Submit

    • C:\Windows\SysWOW64\mywcc080721.dll
      Filesize

      28KB

      MD5

      868feda0c9c6b32ac94b70fb19493b2b

      SHA1

      e59b08baa120a6f9b834844c9c2903662676e37c

      SHA256

      ae44365f29c76a748653f6f698624f7e1d7f6357a0b497833ca70264b1f34fb6

      SHA512

      7b4ad26f8dcc712cf7876969d489667e2598b92e4ea347f774b9234d5dda4984ad1d5f35572e3d0db4a06d656a16bcbcc18593b82537df04694b844ceedde048

      Download Submit

    • C:\Windows\cc16.ini
      Filesize

      464B

      MD5

      0524cd5586c04330ebd739a802c47676

      SHA1

      b3c7d83a2fb5a601c7679f51b2b1b8f10c9e9bf0

      SHA256

      df5f36832dd0c8f857178d7310cb54d902c9f1889a33d50a9aafa5ba375fe0df

      SHA512

      2c9cd9ac2b88760d0bdace15fc8ed7b54a91c373b9b76f59a79a868a0aebc0b74e0c3c0746e110cfabf48804a00507862994406cdea512771d8b2a0a780850b4

      Download Submit

    • C:\Windows\cc16.ini
      Filesize

      150B

      MD5

      dbda144b8729a84cca62b0f9d57610a7

      SHA1

      e749ebeedd1b953cf2da7cb6d53ff0b6fafe664b

      SHA256

      9c976bcf1b873d147c57fe3cfcb53251d2e33d37462124397013bf5204235a7f

      SHA512

      0c7ae7c802a78f67e12a5d8f1c97370be55f763bfdd1a38b5496f2165e842199031cee6129812f2ebc413a773820c9dc73db18e1d07f88bece36c84b4f3d9d9b

      Download Submit

    • C:\downf.bat
      Filesize

      51B

      MD5

      2b724c6a8fcd230311547ed4e1b9d68e

      SHA1

      10355c1441991688bde91b7c02688f308bf00915

      SHA256

      3f77676fa2c0553c11b7277adcd2666bba06e22d4ce39f0ff3c3245eff645a0e

      SHA512

      48215bac2db84c0445d5c4bd80abe13fbdf0f6750c4bad1306a01283362e2e97ab8992be597634b803bd12892c682615c637dcbae36c5441e50fea5346bb374d

      Download Submit

    • \??\c:\nmDelm.bat
      Filesize

      233B

      MD5

      84852456cb8bed92b1a703b43ca80e93

      SHA1

      3f72ba453f0abc410917d57c12c5951c1d020e61

      SHA256

      9398bc91ea704d880e143ed09303baa8a67ad33a0c8d1de30842c2a1948b2948

      SHA512

      8dff637d817c27887c562047c66813f6bee93e70ed3d3f3c10a8103d3e0c25b7c04a0d92bcfd5140eed721e1b812f3957228b0144fae9547df6505f0bf15f7e6

      Download Submit

    • \??\c:\nmDelm.bat
      Filesize

      139B

      MD5

      3a1bd2916250a4d03a63c8877a0098be

      SHA1

      fe761cbb2533906e4a6c5604a79d0c0bf94fd87f

      SHA256

      8183f9a2b8b37f4a70e5296c85d9fff3cba80a6950314d9900026dfc84a00a9d

      SHA512

      d1d03acc696e6b660ddb61c217665f5d202907e4548df4e17c92183490a2bc98c3cb9492a1e3aa678a17c5e8096ba05190c02e918aa4ca0123ca6e50e485e849

      Download Submit

    • memory/3332-30-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/3332-38-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download