Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

c0c010c2eb...18.exe

windows7-x64

10

c0c010c2eb...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 12:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe

  • Size

    157KB

  • MD5

    c0c010c2eb39759c02eb552bee42cc80

  • SHA1

    d08aa96bbba14c48d3bc82ab7cce2c1dc3d1c000

  • SHA256

    a3726e072940d4b252f3c882b6a0900804d125c2f460d3a6e00a0ec725417242

  • SHA512

    1c3a6298249af34d6277f4fcb109a89d05b53a9064789d16ae22585397b3768a1e40458b3857ebd262956a97fe3560a561a6ac0626fafa47355d8b1260254c6f

  • SSDEEP

    3072:2+Q/Vy4mb1FQk6VKFQ+Ia0UdptDKCCygcOiWguJ9tDIdS:dQg4wZ9J06pRKCCy7Wgu7tiS

Score
10/10
discoveryevasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\winword.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2592

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      d160f4c8112dad61846b0b3c4680e1d4

      SHA1

      56457ed54ac09cc6bbb3318645dca766d346c141

      SHA256

      6e2afbd6b3b5a75082b856af4dfe555e73fc475ef8b7798fc7d0da91c16f22ca

      SHA512

      53e0b7dd3c63f6404915390f9134a76e03dd496fcf522308668936efc9ed2c80444caa7fa6a91926eddcc5787b73213427c668a72834ffb8ae9ff8e877cdb1c2

      Download Submit

    • C:\autorun.inf
      Filesize

      126B

      MD5

      163e20cbccefcdd42f46e43a94173c46

      SHA1

      4c7b5048e8608e2a75799e00ecf1bbb4773279ae

      SHA256

      7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

      SHA512

      e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

      Download Submit

    • C:\zPharaoh.exe
      Filesize

      157KB

      MD5

      c4a880d8c825c495935f30fe9dcadbb8

      SHA1

      9bac8cfd44b2721b7da0b0599de8d917edb2e7e5

      SHA256

      b10741c94d7a1accaf6aa7d22e6c9d095cd1f84fa56059f24a6f372fb87d2e84

      SHA512

      911dc7b98e84c7c9282dc211a10542c4789550cd8252fb5a0b38dcc518f6d54651ddd2129532040d42be8f58e9c57f08a9d43a7c0f612b528b1e91ff50c13c5d

      Download Submit

    • F:\zPharaoh.exe
      Filesize

      157KB

      MD5

      4208a2b4229330b126b315367cc3be93

      SHA1

      b7b5e6148614e442c7ad53cccf8ddfb6f1af524b

      SHA256

      cbcc212bfa906688c960a867f482835cb025fab459929d30e0fb7da432edbfa5

      SHA512

      3096799f31fadafc56c3d37e9495f58af31710671d7113398d11276e80ed222e514d0e56fa2ce1ea14bf2aa2ffab9f42e0dd8702f15c14ee08dadf55e890ca8a

      Download Submit

    • memory/2080-0-0x0000000000400000-0x0000000000418000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2080-30-0x0000000000400000-0x0000000000418000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2176-27-0x000000002FB91000-0x000000002FB92000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2176-31-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2176-32-0x000000007100D000-0x0000000071018000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2176-39-0x000000007100D000-0x0000000071018000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2176-52-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download