Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ce38420a8e...18.exe

windows7-x64

10

ce38420a8e...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    26s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 00:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce38420a8eb127e33ff0b71f2730af53_JaffaCakes118.exe

  • Size

    773KB

  • MD5

    ce38420a8eb127e33ff0b71f2730af53

  • SHA1

    421d264594c2674efaadda6c80c7bec894243293

  • SHA256

    75c70e1cfce580c7af9083b9a214785d13d54f3e50f6a963e9a2ef64071318ce

  • SHA512

    ee02822089d80bec613e987821ad876865eb997bac560bba39dd9f92e81f4106969c6c5631af9784e4391dd9001f7577ff1155b2a2d08418125f401f5f3556a4

  • SSDEEP

    12288:5Lo3AFptjgbGiAFptjgbGXeb3E2TImvOmbNtW4JWHOyUDO6nw9Er/N3tjXbli3ir:Dj37j3ODkm2mhtGO5IEr/N3/A

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 26 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Unexpected DNS network traffic destination 6 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Modifies firewall policy service
    • Modifies security service
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:472
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1240
    • C:\Users\Admin\AppData\Local\Temp\ce38420a8eb127e33ff0b71f2730af53_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\ce38420a8eb127e33ff0b71f2730af53_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1444
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2904
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe
    Filesize

    168KB

    MD5

    21b07ae2fd748d1dfb01482b07e310d0

    SHA1

    fd667e215fde79eacb3d5529dacde0d45c761cd2

    SHA256

    29ff2d4b0d303d4a1bdc574fbf1e9d809de840818787bf57fe2d06389834fd14

    SHA512

    e4058e0fcdddc173a911b6a75ecff6b76b38ac3389022ab1ea1372049134ca981f22a8978cfd1079debfed282ba051e82189ed4dd2f1f7e1d6271d3b3c9f6c68

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
    Filesize

    948KB

    MD5

    3a533dcca9303f34ca71a42edeb4690a

    SHA1

    d2990cfb3879c13d331a96b48fc67b08cc5fb758

    SHA256

    899be7d344e2cfc45372f86ea61f4f4ecd8b3750fae1d2922702f03ec5ea639f

    SHA512

    3c0689e0a83a096f420f0e38a37d5006d8410c34372940b3be38fcfda244ed043142d7410a358a06904dcebbef56e840d11c91fd4f90e637a26df6919fe36c3d

    Download Submit

  • \systemroot\Installer\{ffb13717-266b-96bf-b67b-e9ffda7ca741}\@
    Filesize

    2KB

    MD5

    68b3fd7fe2de5fbf86e524557317fd2d

    SHA1

    4424890d38a2512563540b9a63cb8a9e739c0c83

    SHA256

    b761d78717f411ae69e2b4ed7636f9aa98f4b7355eb6944067473732c01ad784

    SHA512

    8d7dacb3bad44572e70374de13294a911510465476b9a73bcfd38a46ca3e9cd1d789bf870d755326ec537f76c06cfaa742b9742d3473aef62b11734dba741c20

    Download Submit

  • memory/472-30-0x0000000000040000-0x000000000004F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/472-31-0x0000000000050000-0x000000000005F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/472-40-0x0000000000050000-0x000000000005F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/472-21-0x0000000000040000-0x000000000004F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/472-29-0x0000000000030000-0x000000000003B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/472-32-0x0000000000050000-0x000000000005F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/472-25-0x0000000000040000-0x000000000004F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1240-18-0x00000000024F0000-0x00000000024F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1240-39-0x00000000024F0000-0x00000000024F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1444-15-0x0000000000425000-0x0000000000429000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1444-17-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1444-16-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1444-36-0x0000000000425000-0x0000000000429000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1444-37-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1444-14-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1444-44-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1444-13-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2668-11-0x0000000000160000-0x0000000000190000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2668-12-0x0000000000160000-0x0000000000190000-memory.dmp

    Filesize

    192KB

    Download