Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

bcc85c5e7c...18.exe

windows7-x64

10

bcc85c5e7c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/08/2024, 18:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bcc85c5e7c78cefeedc726c0fc03eafc_JaffaCakes118.exe

  • Size

    120KB

  • MD5

    bcc85c5e7c78cefeedc726c0fc03eafc

  • SHA1

    08efda002c4ee23ed90404a58e458ab989187f48

  • SHA256

    f6b93bbb9d542fe1a02192a90f0acae4533dfeaf7ce24370ff64567218ab206a

  • SHA512

    651838222a3c065a036ae1d0e47f66f3659064d0f49ce8ae8eeabc52ac872089da8b155513efedd4c113631ce999d78fe218a239f2a1cc591df3a2ff3af550a8

  • SSDEEP

    3072:GLUIbPHdRg/jsBPn+xMFrczeCqeMFFh2miJ791:GLUIbvdGbsVnjCDM+F/

Score
10/10
metasploitbackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bcc85c5e7c78cefeedc726c0fc03eafc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bcc85c5e7c78cefeedc726c0fc03eafc_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\a.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1240
      • C:\Windows\SysWOW64\regedit.exe
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        3⤵
        • Modifies security service
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:4856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    815B

    MD5

    fadf3805f68986d2ee9c82f560a564e4

    SHA1

    87bcab6ab1fb66ace98eb1d36e54eb9c11628aa6

    SHA256

    d6e4760c4554b061363e89648dc4144f8a9ba8a300dde1a1621f22ecc62ab759

    SHA512

    e3e495385da6d181a2411554a61b27c480ff31fa49225e8b2dc46b9ec4f618343475a8d189786b956c91efc65bfb05be19065bfdf3288eb011c5ec427e764cb9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    908860a865f8ed2e14085e35256578dd

    SHA1

    7ff5ee35cc7e96a661848eb95a70d0b8d2d78603

    SHA256

    d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f

    SHA512

    a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    3KB

    MD5

    9e5db93bd3302c217b15561d8f1e299d

    SHA1

    95a5579b336d16213909beda75589fd0a2091f30

    SHA256

    f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

    SHA512

    b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

    Download Submit

  • \??\c:\a.bat
    Filesize

    5KB

    MD5

    0019a0451cc6b9659762c3e274bc04fb

    SHA1

    5259e256cc0908f2846e532161b989f1295f479b

    SHA256

    ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

    SHA512

    314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

    Download Submit

  • memory/1504-0-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1504-111-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

    Download