Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

c7e9e1c758...18.exe

windows7-x64

10

c7e9e1c758...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    29/08/2024, 00:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7e9e1c758c0620227dce1f7a56e1e55_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    c7e9e1c758c0620227dce1f7a56e1e55

  • SHA1

    a49f67eb92b375cf31f1b634255d6c4f7390863c

  • SHA256

    873eb966ad8f181a1725d5a783c90f83c4dd23b19e0da3d2a792b629693cc099

  • SHA512

    1683e58a2ed034eb24c79a0b8e576b28744c4e5e52e20435a95b6171558d7ce9dc6c29e54d25aee340e58e6f6a58405a2c9aeef414a23ac554e9a0cc2730c3ca

  • SSDEEP

    384:w620+EZL4zoNzrNk0ifS7osikY6SZuAlM:5aExvrG0yYLY6SZuv

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7e9e1c758c0620227dce1f7a56e1e55_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c7e9e1c758c0620227dce1f7a56e1e55_JaffaCakes118.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\227E.tmp.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:3020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\227E.tmp.bat
    Filesize

    207B

    MD5

    fc090e967f82acc37eb8723d694404e9

    SHA1

    fb43faf7523149e56aa8cac9fd4741cf5b376314

    SHA256

    8e0bd597404f092c1ec67e78890cbe081d2420b8bb920ca9279b4e577aa80309

    SHA512

    1c48d71dd715870403bc375966b475e8ee72c87042249bd01a47696b2b43c61c90d03f10eca6642895359feaa7b588e1c77e95d548a037e9cc54254ab2de78b4

    Download Submit

  • C:\Windows\SysWOW64\tscfgwmijxsj.nls
    Filesize

    428B

    MD5

    7eade39ebf9b643d26e82cdde0ce7597

    SHA1

    728fe5030f09b3c841eff45296b3613b61ebfc88

    SHA256

    b045ff0046c49c958503ce5951c37e949c7fb0151be6defb98260511964f1339

    SHA512

    a3671c26ee838283c2941647849727add0f3884d78d19c1596d4cd2c616e69142be507d3dbc739b923c6cf025d99acadc5cba7a93b3b9acde118e3d3baaace96

    Download Submit

  • C:\Windows\SysWOW64\tscfgwmijxsj.tmp
    Filesize

    2.3MB

    MD5

    4f5fa6d206c10a696660b8f108ce8e8e

    SHA1

    df6a235a4f4dac04911dddfdf4df4aaa031d7040

    SHA256

    f9013add73f066de201b106d202e15ad206e60397819753c299430907a1a0223

    SHA512

    c4df338d016f442add474726b7409d53ad0abc3cd1ba6e9ce31b94123348931ce1859c4218be55bebdf087cf906de5f6d7720a255bb35a024448a793d94ad007

    Download Submit

  • memory/2908-16-0x0000000020000000-0x0000000020008000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2908-25-0x0000000020000000-0x0000000020008000-memory.dmp

    Filesize

    32KB

    Download