Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

c1a5c08e27...18.exe

windows7-x64

7

c1a5c08e27...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    14s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 21:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe

  • Size

    812KB

  • MD5

    c1a5c08e27d93713802cb00235447a17

  • SHA1

    fd070786781da66f67b8eece92eecbfbcd04fcf3

  • SHA256

    92600d35bf740272d948d67cf595ac7fdc1da5fcd4b80cc39f64871c57fb2488

  • SHA512

    35555685d0290dd10d4881443f6216314465a20798761e644cb66e5cffb69dbb91030ebc54093ab8aeb10e96a8ea12381734c5f4825ebc37cc82e38a538e9c0d

  • SSDEEP

    12288:6QoutGe7ZVVT7ZD3wUdm7dv88vUcYgTJwri42gmm4QB3wCbt+qQ1wqK3Xd8:6FutG2VT9T7m5v88vUWGrgmOCbtREY

Score
7/10
discoveryevasion

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Windows\SysWOW64\ntapli.exe
      C:\Windows\system32\ntapli.exe
      2⤵
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\SysWOW64\ntapli.exe
        -i
        3⤵
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\ntapli.exe
    Filesize

    764KB

    MD5

    0cab912734c24625aed9a0b1c04a126f

    SHA1

    271f4872c6ca96383b2fefc3d5682ddb178aacb1

    SHA256

    08463cba39af53896bb059a864bcab32b3389b50943e1503809b15d2b8e7d8e1

    SHA512

    eea24743e60aea3758e9ea77076cb18c39e87db4f8cf5e0359979e68878a4518754efff58214b794ed4015b460e16f305e33dbe0bc77b256ceddcc4dfffac327

    Download Submit

  • memory/2056-9-0x0000000002AA0000-0x0000000002C4B000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2056-11-0x0000000002AA0000-0x0000000002C4B000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2808-20-0x0000000000400000-0x00000000005AB000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2808-22-0x0000000000400000-0x00000000005AB000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2808-24-0x0000000000400000-0x00000000005AB000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2808-21-0x0000000000400000-0x00000000005AB000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3056-19-0x0000000000400000-0x00000000005AB000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3056-17-0x0000000000400000-0x00000000005AB000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3056-13-0x0000000000401000-0x0000000000419000-memory.dmp

    Filesize

    96KB

    Download