Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

c7e9e1c758...18.exe

windows7-x64

10

c7e9e1c758...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/08/2024, 00:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7e9e1c758c0620227dce1f7a56e1e55_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    c7e9e1c758c0620227dce1f7a56e1e55

  • SHA1

    a49f67eb92b375cf31f1b634255d6c4f7390863c

  • SHA256

    873eb966ad8f181a1725d5a783c90f83c4dd23b19e0da3d2a792b629693cc099

  • SHA512

    1683e58a2ed034eb24c79a0b8e576b28744c4e5e52e20435a95b6171558d7ce9dc6c29e54d25aee340e58e6f6a58405a2c9aeef414a23ac554e9a0cc2730c3ca

  • SSDEEP

    384:w620+EZL4zoNzrNk0ifS7osikY6SZuAlM:5aExvrG0yYLY6SZuv

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7e9e1c758c0620227dce1f7a56e1e55_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c7e9e1c758c0620227dce1f7a56e1e55_JaffaCakes118.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1C4D.tmp.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1C4D.tmp.bat
    Filesize

    207B

    MD5

    fc090e967f82acc37eb8723d694404e9

    SHA1

    fb43faf7523149e56aa8cac9fd4741cf5b376314

    SHA256

    8e0bd597404f092c1ec67e78890cbe081d2420b8bb920ca9279b4e577aa80309

    SHA512

    1c48d71dd715870403bc375966b475e8ee72c87042249bd01a47696b2b43c61c90d03f10eca6642895359feaa7b588e1c77e95d548a037e9cc54254ab2de78b4

    Download Submit

  • C:\Windows\SysWOW64\tscfgwmijxsj.nls
    Filesize

    428B

    MD5

    7eade39ebf9b643d26e82cdde0ce7597

    SHA1

    728fe5030f09b3c841eff45296b3613b61ebfc88

    SHA256

    b045ff0046c49c958503ce5951c37e949c7fb0151be6defb98260511964f1339

    SHA512

    a3671c26ee838283c2941647849727add0f3884d78d19c1596d4cd2c616e69142be507d3dbc739b923c6cf025d99acadc5cba7a93b3b9acde118e3d3baaace96

    Download Submit

  • C:\Windows\SysWOW64\tscfgwmijxsj.tmp
    Filesize

    2.1MB

    MD5

    77c237585dddd3faf3665e759283758c

    SHA1

    e6933f1cd651714a3012f81b892f61729aa80a60

    SHA256

    0fe7b4148294028e25e0cb60bd8b6503c71b485c94cea3064b555aa21bb28f10

    SHA512

    70f100e07c983060a58a4b85740e6140574e4138b747c3bc9ca438978fe637a7c30d4e2a1b9d32b941bb8d374156dac5daa4bdd9dc5be7bd1cf8942cc0eed288

    Download Submit

  • memory/536-17-0x0000000020000000-0x0000000020008000-memory.dmp

    Filesize

    32KB

    Download

  • memory/536-22-0x0000000020000000-0x0000000020008000-memory.dmp

    Filesize

    32KB

    Download