Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

c25ae7a268...18.exe

windows7-x64

7

c25ae7a268...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26/08/2024, 05:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    c25ae7a26857912c0d9824740c424366

  • SHA1

    1d01beacd7958b2ea547eb3afa9e01f39920b904

  • SHA256

    c0108b4982c074e06c92ed7e29a7d721f0bd6ba7391396b13268680e32e312e9

  • SHA512

    2f8be82e480efdf7596c8e9388874095a14731e5fab966305b8c2f959f5f3aca3ac9999ac6d11d57950379f5508d89effd868d0e1ab112ab229f9f63eafed0cc

  • SSDEEP

    24576:rdAw5ThqaUocH/CTxiQuBf49W9b2KKkuKoNV1qYlBv7BOf1jFrEhOYZ0XAvJvyNp:r9qav1TgQu9oWR244V1qYlBv7BgOZ0X9

Score
7/10
discoveryevasionpersistencethemidaupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 7 IoCs
  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 7 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • NTFS ADS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe"
    1⤵
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe"
      2⤵
        PID:2904
      • C:\Users\Admin\AppData\Roaming\1.exe
        C:\Users\Admin\AppData\Roaming\1.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3044
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 /s "C:\Windows\system32\mswinsck.ocx"
          3⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2660
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Roaming\1.bat
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1832
        • C:\Windows:ThesharKProject.exe
          C:\Windows:ThesharKProject.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • NTFS ADS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2568

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\1.bat
      Filesize

      113B

      MD5

      30fb8674b40c1dc7958909ba1584b37e

      SHA1

      d35c5a768c6e655175571c4bfe3c485e24d47f2e

      SHA256

      11e9fcb10ce29674d8bf41ca773837207427409f108c01c882cfe21427c7dbed

      SHA512

      63049a21a3bb72795c247400350a2f84c00db8def7cecd7a800e0a9280b622fda4f259bfe4cbde2a6f3cf200973d5dfda838479f76a20d5a5d50b697413bdd9e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\kernel33.dll
      Filesize

      1.1MB

      MD5

      e14ba6a9464bed1127c50214acaf0c1a

      SHA1

      3eeda63ac8209ffa2e1beeefdde6531e61f8dc4d

      SHA256

      fd250c2054019c58dd71ac4469ee821b67dfa36a439091ad17969f6d4090da38

      SHA512

      55a7ad5ea8617e8066b2854556e54e1688c70d80b6921eab3020a1bb6cc741320f5f0d63cf067864505877e010d69caa2a7bff890dd037da7efbc3e679ab9c26

      Download Submit

    • C:\Windows\SysWOW64\jpg.dll
      Filesize

      51KB

      MD5

      4eda362e326609a0a80e2736b67607ab

      SHA1

      64aa572d16f7cd6e6bd2296f2c96ad1604c713d1

      SHA256

      061e9f721af9a538dcfd96d13cb3deef1479b5785f566818c34c3faa585d650a

      SHA512

      f23f6a5c362808aef98516dcf12e3eeefd8498c812c27f96820d7d086694641cb4eefc7970b4750a0e4a5a0be1f90ac8981fc2f028e7085d50bd44bd4880c51d

      Download Submit

    • \Users\Admin\AppData\Roaming\1.exe
      Filesize

      296KB

      MD5

      a63e6c36032e934147da66150e52e0a2

      SHA1

      6f87e80c6804485a98c7d1f9821412680701303c

      SHA256

      f004b37cf83f8f220f1fae8826831e4f63fba4335631eb9204cd16b21d1c9c94

      SHA512

      21c406d9424bfccb182156a6458bc5500dcb915cfbd5b1b3c6c977565ef677100792a2b4e66c7d52a86d44a49ccf0cfd4e55f5a2cc6f6073e07250e70ff604fc

      Download Submit

    • \Windows\SysWOW64\mswinsck.ocx
      Filesize

      105KB

      MD5

      9484c04258830aa3c2f2a70eb041414c

      SHA1

      b242a4fb0e9dcf14cb51dc36027baff9a79cb823

      SHA256

      bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

      SHA512

      9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

      Download Submit

    • \Windows\SysWOW64\zlib.dll
      Filesize

      27KB

      MD5

      200d52d81e9b4b05fa58ce5fbe511dba

      SHA1

      c0d809ee93816d87388ed4e7fd6fca93d70294d2

      SHA256

      d4fe89dc2e7775f4ef0dfc70ed6999b8f09635326e05e08a274d464d1814c617

      SHA512

      7b1df70d76855d65cf246051e7b9f7119720a695d41ace1eb00e45e93e6de80d083b953269166bdee7137dbd9f3e5681e36bb036f151cea383c10d82957f39c5

      Download Submit

    • memory/2324-15-0x0000000000400000-0x00000000006DF000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2324-17-0x0000000000400000-0x00000000006DF000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2324-6-0x0000000000400000-0x00000000006DF000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2324-29-0x0000000000400000-0x00000000006DF000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2324-2-0x00000000003D0000-0x00000000003D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2324-3-0x0000000000401000-0x0000000000403000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2324-0-0x0000000000400000-0x00000000006DF000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2324-1-0x00000000002E0000-0x00000000003CF000-memory.dmp

      Filesize

      956KB

      Download

    • memory/3044-33-0x0000000010000000-0x0000000010014000-memory.dmp

      Filesize

      80KB

      Download