Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

c0ed1c56e4...18.exe

windows7-x64

7

c0ed1c56e4...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 14:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe

  • Size

    48KB

  • MD5

    c0ed1c56e47fda96debc6530b0b5c38b

  • SHA1

    d0fd8625f3c6232b1b1fdc833adf8ced63ce3295

  • SHA256

    13e50b8babbd893fa62f412669bc959a9dcf4d99de94b54467037416ce695286

  • SHA512

    15ab059af198d51cbe973311460d6d43a8960dfc6d25c3c476e4e4f8feaa3fdfd2eab72c3f2a9758a9ac13fa836496fe6c6e8b73c831c0673b0b8ea16e1255e3

  • SSDEEP

    768:nakxkSLCfmd2UbpCxPCbDnMuc4gsK2rHIMSLIneqvdvLAwA:qfmd2UbpcCvpXHNyChBA

Score
7/10
defense_evasiondiscovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Users\Admin\AppData\Local\Temp\ins5254.tmp
        C:\Users\Admin\AppData\Local\Temp\ins5254.tmp accm3p_gench.tmp
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2552
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\ins5254.tmp > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1508
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SysWOW64\expand.exe
        expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2244
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Windows\SysWOW64\expand.exe
        expand.exe "C:\Users\Admin\AppData\Local\Temp\desktop_url.cab" -F:*.* "C:\Users\Admin\Desktop"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1696
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://jump3.35638.com:27889/report3.ashx?m=42-45-88-26-9A-E0&mid=21663&tid=1&d=3387ba87341a464a033da79cf62ed87d&uid=13729&t=
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1848 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2376
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://tc.58816.com/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2872 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2848
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.38522.com/bhy.html?popup
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1144
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1144 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:784
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C0ED1C~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1484

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2d3129bd7c17a21dfdf8f7834caabe1b

    SHA1

    c4c6679401aa6ec3434f7d57d9ebc4770f3b5a63

    SHA256

    5ad52de778fb41eb82cfe4c9852a6a423d31b9d55989b3637ce13074f795e1c3

    SHA512

    3b66c0005bebfaf1bb38a6d027365211792583c4c24b2eb0c472198f4d8b69d568461ff1e05706e9dbfaa46d9712df57d1d5a060efaf283d1e0bff5fe2096679

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    3a87b8dc688b7ddded3a0e72798e01aa

    SHA1

    a6857a22036950da41c578b1b0058baac7f29d69

    SHA256

    f901e9745e0c464bb6232b85f40fd2bff7de577e9feea385317a563c486f05c2

    SHA512

    ba93a015449759b500e8ec9418d39971518ababd0af3a8205dbc2272d30c558a416f681544e32a2c08eaa16c82392013d42119560e46f2ee09a3c30c2b2b0fea

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    72ade2b965377a168c15df8a183a24f5

    SHA1

    415fb4a1fc2c0ab8540f2a1df34fc8e56bedaeeb

    SHA256

    ac0e96c70243d04ad0e679a885b10cca2585a38b06d0dca026c9657e89934854

    SHA512

    3ed59da56d618af21d21ed1f1865601f3890daedc9a488c9c95b2fc2469070a91b1307119d96543a30b26cc4f6cfb85217f97a906b6f1604be45f5d8f45a2531

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6d98f0480411ae56227ee079995ba231

    SHA1

    12dc91855f0e76780cd9ccf5668ec1cc80a47053

    SHA256

    410d453f4278dd7374a12245d233fc92dc07e83ef2d9ea5bde4f64ccb97b2625

    SHA512

    c2c2e270b6e63f16d142737b2b358c9fb18a86f9144cb6d29bde7e63fa09c90d52fff3bc7426ec1a55d2baf52a490bcadb3686e3f2ed0950482eb0e498b4ebaf

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6a2b812c3bff087824ed7e4ac6d87980

    SHA1

    75b60d9849f48cc8468377afc329b8e2f32ece97

    SHA256

    b0b8e5f8a4edf60ea0ce7c1e7902f264cd044be2103ccd973f0fcf25fb660611

    SHA512

    640280c6a55080f2fd4b37bc40443e03454d94b4379207ae059d8de4bedfb155ef96bc1972ec1952e56d75b57bc122b9bdb6d1d65e896b53b77e38644dd16bfd

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e688c494bf41feaabcd13308e8ac4b68

    SHA1

    e0765a9f848dc75aba3ae7af944794434f3d5d1f

    SHA256

    273cc58dfcae36684153215638eb1a9cd571690f837bb8cb580d896bf8ca2e0b

    SHA512

    f8b8726f51f2154668193b1fe921a932bae3a971fd1c56e4694d3c492aa2d05b9fd8bed27b09721ec5fca69994c501d70ef3ae0364ed55372bfdb3e58c3d25cc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    dcad74794e543cc6305b4d988dbb33ee

    SHA1

    af5b91ea3afea51169ef180c096510ff831dd45f

    SHA256

    d4788af38fa8a0ef5c58b695956fface4f526906d960a6d1977ae293c0dd682c

    SHA512

    5553457b832cd9782898a2e84ace3221fdd97afc0b09d6af439f4fcbaf877242825b0f51e00e6fc89a934edd7f36103e835da53bd7108144d943809772cb4d0c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    38032f6324bacc66ea4d39070385a87c

    SHA1

    501733991e9b5b7860cd326fa9ad44a70e0eeac3

    SHA256

    cc8c37e9b9cc54f2d3a1b2efaba0187ffbe0adc1afe67519dc24228077f4f1f9

    SHA512

    b4be6fdd35e0cbdc2db20c53dbc20eca406e860c48db19ef13f56de442f6e72eb35983f254bd6ea75affd24054267829a2f11900dbe1d6609e635769c91e6025

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c72e0fb2c7677249077162a149385ce9

    SHA1

    84b2c271819a3c943b092e95c1675ed8ff879fa8

    SHA256

    a094928260d2e29aece6fcdd826702fa47886a5780291c034dea441f8c5e8f6a

    SHA512

    80a242c17a5749a1abc4c2a54de5ad598adefd22bbfe28514338478f1d954d18d63dfc7a48acdb44990f468a267aa10be7a09546222145aff2a57517a6f5fa7a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    89d57b7577dd3b7e49b87b5ccf096249

    SHA1

    94ec0f3d4f338bb079c0b1dcd0f81e855f910992

    SHA256

    751a714b87a098f7b058272d3b076c22ebb811cea820ebf8e58dde18efdd6fcb

    SHA512

    fded0afbe4cab76fbc38f666298699e994eba7bf948a12f333ab619ab015021dfe7edf61c636e6d9afe3b5296e2bca0ac8cf8599ed39353d53a28e41e77ded0b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6f86f1fb10237083409466cbd219ef41

    SHA1

    7c167abc067a453557a8194366fac13d09bd0d4d

    SHA256

    a83eb269ec4266cfff4255fc25140ba0f2b820d5b070d0e877e73dfa5fe52f10

    SHA512

    788b76a9e527f225fa7676eb0325eaf86513d3442134ba2ab0bf6814646fe61b0e1d0a743d88df4a041061714248a975f3cb1043d69f43e33c773260edf1c767

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    bbb1206617a6ec1e6fe0a4741be56119

    SHA1

    ed47324d3f6c40b3233e1cac5a91923de898903b

    SHA256

    a5123a91ca7cdf2f55188e304b5eebc9e402471c22135fd65f9f9c81597521c1

    SHA512

    621188d3e344542933997ebf7fce0ce7ce5c44ddc4729c50d263e40e33f8f1c598bfeab6f387d5e8cf6ef49b5d540c41a3d09e1b272fb62acecb9e7e82377dde

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2C34E551-62ED-11EF-8CC8-424588269AE0}.dat
    Filesize

    5KB

    MD5

    f5f6827f5c562f2390dc4774366f7270

    SHA1

    b9b79308d8f6890cc48431132ff11a9b2fe59687

    SHA256

    15700205cdb94b65d769a5b883d7f0ab800849faddf78a0495ca16f01d5f06e8

    SHA512

    610124d2b18dc6cbb791c8cc5f9bbac8ac325b05aa1e397684b1da74fc54166ab0c31ce2309271fc7d8c47549731ef318765381a7cac654ea414abe1b1a37e62

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2C39A811-62ED-11EF-8CC8-424588269AE0}.dat
    Filesize

    3KB

    MD5

    181e8769f972b52e0893fe5f6967a87c

    SHA1

    e867ffdbe889067f6bc92e7b168a613ce0fedeaf

    SHA256

    728d0d6c126ea4388bf40f6c287571cabc5d6c25352f67d96bd9ddce5a15ddbf

    SHA512

    56150205f24d7ffd0d35829741378e23b34a140bf297def746492df9b71ce6477f9bd6357ae09c1706b54afd75b1acbd7dbc0095af36bc29f67173b042998b7d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2C39A811-62ED-11EF-8CC8-424588269AE0}.dat
    Filesize

    5KB

    MD5

    62776c89fcbb7f1a56309d0fda0c4910

    SHA1

    49d5cbddfdbe44c5f0e0e424642bce7934764c57

    SHA256

    6bbd1a32933f8b9fffa251800d7fda309bb0b5c7ba2031b1abd006f85a448e69

    SHA512

    57f37a09de833983e0fa971c750b6c076b701a4915034c03bea8938f9d9234113bfd8e2e0ae15ce2a9e1c49f5b1c4c1f6c1358d5455c2ad9974d110d16225489

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab80D5.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar8981.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\accm3p_gench.tmp
    Filesize

    716B

    MD5

    7174b70886ee1dda1d0cab12d0e3f327

    SHA1

    10fb3dd7ed093e1546a5e8e8639b6c5822345b98

    SHA256

    64001f6bdebc532aec46f0f71fc5bb38cd69f18b9c504581cb261c2d5cc7e06e

    SHA512

    24c43642e2f9abe4a8d458ddfb47a7540fa821afa9ba62de8d0654a7f73d6d46cd4b25b97b1b2c9a07dce3a5b1fbd456a118e6bd08128729be38d6f432ab28cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat
    Filesize

    62B

    MD5

    b3258bbd340271f1a938e0f1db0dd22d

    SHA1

    7ce539e8daa8766cc66482c354716797f2cece47

    SHA256

    6c9d13eb31e68020c52b931e0da4855d39a4dfc30c86d3899c7418fae297afe6

    SHA512

    78b47873b65cebf32f1b91e069aa291dcd5d6f3708ca592b1e1e194d1fceaab245de074dfe2a4a21ea8f1ab6fca1cf4211f4e42c919312c172637d011196030d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat
    Filesize

    94B

    MD5

    d5fc3a9ec15a6302543438928c29e284

    SHA1

    fd4199e543f683a8830a88f8ac0d0f001952b506

    SHA256

    b2160315eb2f3bcb2e7601e0ce7fbb4ed72094b891d3db3b5119b07eeccc568d

    SHA512

    4d0378480f1e7d5bee5cf8f8cd3495745c05408785ab687b92be739cd64c077f0e3ee26d6d96e27eb6e2c3dec5f39a2766c45854dc2d6a5b6defc672aeafa0f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat
    Filesize

    98B

    MD5

    8663de6fce9208b795dc913d1a6a3f5b

    SHA1

    882193f208cf012eaf22eeaa4fef3b67e7c67c15

    SHA256

    2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

    SHA512

    9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

    Download Submit

  • C:\Windows\Logs\DPX\setupact.log
    Filesize

    6KB

    MD5

    c11dc627380c29b00f19c48d952dbe4e

    SHA1

    5de864d2aa609ada1897eb4d4320baa4ff4a497b

    SHA256

    bc28f30b21b9407e14178eb32de125d90fc44aba55241de5414531f1a7a87bc8

    SHA512

    0157f87e19daf7e41b31260260ac59bf6973401ed0215265f8bb201ad2e61db941098a7006d4c7e1f4ac9e34349aa492819c331197971bc2d3cc9a3e5e39ace9

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\desktop_url.cab
    Filesize

    475B

    MD5

    7435d786e086d63639c02a3f39cecf84

    SHA1

    a4d70109c0099e46e2cb17c92c1eb901b0744d46

    SHA256

    376c35bd15ab9fb651cec5008e8ad5b5b894a5219a1f887199971a0c5a5c2598

    SHA512

    3db60a0722b302bf48725e9cf78b2683e32ffd65a6f7bebb218eb0e0d2db1922b64678636013d9bf83368e5f5f64794678a9f657897bba541f2749b71da09edc

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\favorites_url.cab
    Filesize

    425B

    MD5

    da68bc3b7c3525670a04366bc55629f5

    SHA1

    15fda47ecfead7db8f7aee6ca7570138ba7f1b71

    SHA256

    73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

    SHA512

    6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

    Download Submit

  • memory/2236-91-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2552-55-0x0000000000020000-0x0000000000022000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2552-54-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2804-53-0x0000000000140000-0x0000000000147000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2804-52-0x0000000000140000-0x0000000000147000-memory.dmp

    Filesize

    28KB

    Download