Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

bdd4cc3db4...18.exe

windows7-x64

7

bdd4cc3db4...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 03:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe

  • Size

    792KB

  • MD5

    bdd4cc3db4f1cd008d92fecc1323fb18

  • SHA1

    0f5054ead0721a9197daef82a52120d8e58f5211

  • SHA256

    771b17b8bd7f1a10429d713e30526135a814ee181b38210bcf72439fba3d2993

  • SHA512

    2072e89de85b606c1a4e88b7e5177d907165d05b393be72721c3ff7eb8a228e3de773e867e3db06164118696f338c2395cc40ed87543345a9c6bffeb509fe2b4

  • SSDEEP

    24576:C6rTTrLZt640HYTIegYgAAldoCXJK/KbhKMB:CCTPRmqAXoC80YM

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 43 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 40 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4608
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\spoolv\run.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s C:\Windows\spoolv\reg.reg
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2528
      • C:\Windows\spoolv\spoolv.exe
        C:\Windows\spoolv\spoolv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2864
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +S C:\Windows\spoolv
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:5032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\spoolv\aliases.ini
    Filesize

    71B

    MD5

    9e148b91fad20422c534814cfd1f783d

    SHA1

    a10cdcef1e5cd0c0248dc090600ed2ae03b9279a

    SHA256

    c313dde0fe9c8dea102c1db4b7944c89f9e4aec672bc66a0d3d12360ed8cfdc1

    SHA512

    4e09ec3044d3711679b14c4876523983ae90177c6f15f0634e317a44d46ddb1adae7625c3cbe8d11650ef7b72cf8c976eb358e71f76c483196b65f314c426975

    Download Submit

  • C:\Windows\spoolv\ccc.mrc
    Filesize

    9KB

    MD5

    4a10e3e0e7816bcabdd36f600558226e

    SHA1

    c0bd4c2bc0b08c4e547242cff2e943433986fba8

    SHA256

    40d1e0adbb667d9445c3f40e1d96e7aa41471f161ba1a685e167a83b9805c981

    SHA512

    7c8600077e4b0a16ebb512f94b14ddf956b449b3d339335ae30bbd5c73354de87fa5cad7f98efe41c02f62eb133f1eebdff44bd8bed24735e69a3dce55922ea2

    Download Submit

  • C:\Windows\spoolv\control.ini
    Filesize

    42B

    MD5

    405d882eed0cab5b915aa470a265dcc5

    SHA1

    7adfa3476bfc1c248619f0f78da6791faa7aa360

    SHA256

    32680a610219e4de3cdfb104e71a9b3b1c86d3fb6c3f18328e6e161d2e3dff8b

    SHA512

    03a5ce9a968196c605330e8e41a8df57ff86b1b60b60b38a453c13f469bd372679ff55f325cb336cb9c43db6d15b7554c7474fcc1f7515d8e4ef748d278ee723

    Download Submit

  • C:\Windows\spoolv\fullnames.txt
    Filesize

    76KB

    MD5

    604510c63582646e03f1d2e648f8b866

    SHA1

    7ba3a5d68d58c003d2383b8ed02bb88a61882ff9

    SHA256

    99a8c4d6918c89193ac2b6e11d6dfc49dd197b6b69d020dbb7a04b36e33c9bf3

    SHA512

    d27b2576361eee442ec0997adf0e1a7ee1b17dbfd1ad6bc29456eb60a2a84e4fd30e81c5ad095a745a71634eff883cba8d68666a21ba49c004544ae02d6197f1

    Download Submit

  • C:\Windows\spoolv\idents.txt
    Filesize

    132KB

    MD5

    49bf0b00c3af898ba53352670a99d9d5

    SHA1

    05ff339132f58fd5ded52d6caf686fb6afd34f48

    SHA256

    bcdac3b11b8f8238135b16e1e304ecfc75249cff67c148f800ba8c60c2c70800

    SHA512

    6b729a533a6b344ae6954ef57d735d802389fa6da2bc1acf972b2762078121299f85bca50c6c154db1e1afe189c5eca8d9466f8f41231f196a14370e4c416ee1

    Download Submit

  • C:\Windows\spoolv\mirc.ico
    Filesize

    5KB

    MD5

    e09aa9787af5cc53fd7525dd6693cf10

    SHA1

    57445d0779a66c61741822c0a7988573efee13d7

    SHA256

    c7f023fc4c85680f5c334fef09155e81861634108140a5716a1395dd7cd62266

    SHA512

    b71a8c0939d545afa173f107f99314848c6104928b77d6f39d6e4486ca2b65797cecff0f877160edf6ca1d21dca95b7f1be53221811c945f7c4be6e77a4d1f8c

    Download Submit

  • C:\Windows\spoolv\mirc.ini
    Filesize

    3KB

    MD5

    bc99034df722b7f971e040408a4d0389

    SHA1

    2244eb8681bef577958d948a1695da806e543174

    SHA256

    19501994e6de14f6164819ac0ee17343d17eedc0f13142dd280338546e92f213

    SHA512

    1c8ba40c8b0ff063ee2ddd586e3efa0ed8ba48df8c274490c3910cb9917ee276a866bb9b6805477843ab0363488acf066795724871577864b757afb02d9e4d8a

    Download Submit

  • C:\Windows\spoolv\mirc.ini
    Filesize

    3KB

    MD5

    3d43c6451e61e72f18f45189798e0e4c

    SHA1

    9c899ffdf249e1d46ee1fea5a2e293cff9b8f17e

    SHA256

    6638366c0a27072ba362e078e7c0891f3df30ba420754536c9f1249f4ffa177a

    SHA512

    fc415fec817bc07bd2f0b1e6f6b38076d99ce71235af70392dacbc37160a6846bd02886644e05720545d8ad54de9a69adcd54c6664f6ecd37bfad5ac2463ef32

    Download Submit

  • C:\Windows\spoolv\mirc.ini
    Filesize

    3KB

    MD5

    060aa57a583a9f085a64e32ac832ddb4

    SHA1

    08c0d1ac014854055324932524828fa864976ed6

    SHA256

    9094a23863e531e7bf130812b3b3c793b9eda853ff193cae7f97978349a17f71

    SHA512

    6459ab330aabf94956fa394f5347b7e62d7b87fe3280f0c59cce96d37d02d1339cbc51bf75f0efde0cdacc98015dafdfcea46003b361b1b822350ed2e3fc9adf

    Download Submit

  • C:\Windows\spoolv\mirc.ini
    Filesize

    3KB

    MD5

    c0191031d352e047decf459502252e04

    SHA1

    a2da243fce11241075d45a33336f0e7b467880d2

    SHA256

    66f0d8323046c53c9d865a682d460d2ee6a3fe532b1ebeb224a4ec6e193affa0

    SHA512

    e05a589c0d8e57d765ca8fe77499ed087a80254e9d84e780faadca0c1fcd363a8569f36b0acfd1beafae53283b1e0cccfcb6ceba0cbf311b08b44706217770c5

    Download Submit

  • C:\Windows\spoolv\mirc.ini
    Filesize

    3KB

    MD5

    a04da21075614b33c3e8a73d42b15e13

    SHA1

    f63a2ba0486ab4156d9af274c17affecbb9111e7

    SHA256

    388bc2d7772e02dda18d0c51a1c12b7e370d6e34093cd6a662552d7b94cae2ea

    SHA512

    04e0c22e14f5dc706161b38fc0eeefb718414522ca8956dd6cbd8553d92a3ef41a0ed7a92f59555af157fc0e4ae18d3f5bb813324ac4b3715aabfd7b7e5b36b0

    Download Submit

  • C:\Windows\spoolv\reg.reg
    Filesize

    1KB

    MD5

    3aee26844ed0e98a2bc350b0bb8ed2eb

    SHA1

    28dc6eb9f9ba8e573370cba29049b63719beb633

    SHA256

    a9deb575c465fa6a28bc38e2e61088a8f16ce30a94844cccf9abd4fe17876f43

    SHA512

    70453a100fa5cfcaa7727308b6a2757016d90078ee583330dd0ad10eae1021a9314b0287389fad7fde817a97a62795838138aa5bc28fbf61e2fcdd2be80e2751

    Download Submit

  • C:\Windows\spoolv\servers.ini
    Filesize

    882B

    MD5

    0c50f397f8202d830f3102619a4baeb3

    SHA1

    3b90db0c8c2e2bb5504f31814a61fbaf88cef283

    SHA256

    f2120c3fac12eb56aea82912ca6c934525bbac642bb3a79d9147a694ad294b33

    SHA512

    421feab3819c1b8e5bbb381eda9d761ff2194977c60056d48a2afe8229e6a5cb1ac50cd590f5740c84ada269f4450bdc2fb7f5179a80896c5b12bfaa12651237

    Download Submit

  • C:\Windows\spoolv\spoolv.exe
    Filesize

    1.7MB

    MD5

    b766003f431cad186bd115f5761592d1

    SHA1

    33cdfe6f7fa6b321f9a51cc051c32ba924164b10

    SHA256

    22bdb2606020b82349a629248b599b64235c91e8b450e355a245ef09ece57e1d

    SHA512

    d03cabf713c14a40588ec3d5d7c89be91a0bc2e7b472464ed058b2cce0afe58eaaf7386ce5e6297218b3e677e290625506760ad883412b7f94c3330aa9b9f834

    Download Submit

  • C:\Windows\spoolv\users.ini
    Filesize

    67B

    MD5

    e2c6e41a58d2d119301fd0f86d6cd584

    SHA1

    3468d0db0ef6e10e1d3d42237e0a7f54a893b91f

    SHA256

    c8e855ef54675e37d79b4e8c6cf67396800ed809e4b95d6deb7cce971acd2d93

    SHA512

    c79a00db0aa1b182673917b5f28219fdba3b38d6c91c4e04bd71dd3d2b3db98529a506c3fd8dbf0a4a5760cb3c240e1aea9b4407081da591c39a43f0c5892b19

    Download Submit

  • C:\windows\spoolv\run.bat
    Filesize

    135B

    MD5

    ccb995d58bc99b34ea3fa3e97c5583e0

    SHA1

    d72b86500a4a02fa7ad31b7933ce714d9abbe7c1

    SHA256

    27948bfbbdeb54b01cd00ce467660b7a59e6019d9cd61b4e8d687829032a748f

    SHA512

    898492b02492d0764ebf2218e2a2dfe29bcd97213fe577b2eae3b03a7c418d91fbb5b847f76c7e606ca8c95916a5de6423d3fb0a060f32fdc9080f19ada3b4dc

    Download Submit

  • memory/2864-369-0x0000000000400000-0x00000000005CE000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2864-375-0x0000000000400000-0x00000000005CE000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2864-366-0x0000000000400000-0x00000000005CE000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2864-367-0x0000000000400000-0x00000000005CE000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2864-368-0x0000000000400000-0x00000000005CE000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2864-386-0x0000000000400000-0x00000000005CE000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2864-370-0x0000000000400000-0x00000000005CE000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2864-365-0x0000000000400000-0x00000000005CE000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2864-376-0x0000000000400000-0x00000000005CE000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2864-377-0x0000000000400000-0x00000000005CE000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2864-378-0x0000000000400000-0x00000000005CE000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2864-379-0x0000000000400000-0x00000000005CE000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2864-380-0x0000000000400000-0x00000000005CE000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2864-385-0x0000000000400000-0x00000000005CE000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4608-348-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download