Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

bf8558123b...18.exe

windows7-x64

bf8558123b...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    6s
  • max time network
    6s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24/08/2024, 22:13 UTC

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    bf8558123bcfe9ff5ea425b24dedbf70_JaffaCakes118.exe

  • Size

    86KB

  • MD5

    bf8558123bcfe9ff5ea425b24dedbf70

  • SHA1

    a102bdceaa77fe06f974ce77a08641cda5311fa1

  • SHA256

    e222ab35df0216d423817ddf8c5b9f6559400d5014b20d1e9ff118695b9e1735

  • SHA512

    f205d39d1aa3f673adc8de3707f75b06abc56ca2241bd7db3dc490906a3e8545fc3b73d67037afbe03e760a8ca68bc4408954a2e3d79e67b73f907a4173b178f

  • SSDEEP

    1536:bZujnwAg92SgzXidW9SHapTwsORQs7LXAXCbGXOrAxA91VC3:bZujwAFhKW469wsO6uSCb9AxArA

Score
7/10
defense_evasiondiscoverypersistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf8558123bcfe9ff5ea425b24dedbf70_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bf8558123bcfe9ff5ea425b24dedbf70_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 19202713 /t REG_SZ /d "%userprofile%\19202713.exe" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 19202713 /t REG_SZ /d "C:\Users\Admin\19202713.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2808
    • C:\Windows\SysWOW64\shutdown.exe
      "C:\Windows\System32\shutdown.exe" /r /f /t 3
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\BF8558~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2540
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2552
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:320

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2652-3-0x00000000012B0000-0x00000000012C1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2652-1-0x00000000001A0000-0x00000000001A7000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2652-0-0x0000000000190000-0x000000000019E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2652-4-0x00000000012B0000-0x00000000012CD000-memory.dmp

        Filesize

        116KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.