Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

cf2698bbd8...18.exe

windows7-x64

7

cf2698bbd8...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 08:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe

  • Size

    105KB

  • MD5

    cf2698bbd827384c2d80ce7260730dfa

  • SHA1

    b2dfbb6eb14761517c0376fea844e3e898b4fe05

  • SHA256

    6c74a34552008d0fad98199544cfe3463ae4b783969997206c9503d826006f37

  • SHA512

    4caec1ea40b13e412b74d9ac5f8147fc16b20eb554f457723fc97539b870cb38c750b2125bea19b238a07ab49a44b7394d4a5ad9a6f8d341162c6a4a61d7625a

  • SSDEEP

    3072:3ZlsN/vCtko2SYgnZoRHdrHx5GXBwLWNI3:JlsNJo2ShZoldrPGXB5I3

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Local\Temp\G9464-tmp.exe
      C:\Users\Admin\AppData\Local\Temp\G9464-tmp.exe http://creatonsoft.com/drv32.data "C:\Users\Admin\AppData\Local\Temp\G9465-tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2092
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\tmp.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\2OCJNCT7.htm
    Filesize

    1.6MB

    MD5

    85ed5b2f470be94939267716b94fed54

    SHA1

    63be8944478e6ae2d40a2c40dd2a213a9e7c4b8c

    SHA256

    4420dbbd7057bf632c49ef0b801c2c8c0c1db6de8c3d11772f013864725203f4

    SHA512

    0fe3fff6a7894fcbb4e19604dd2615e9fae00382166a7d91167ce4211646c68577cf74ddb1d6b8030c948efb7a96946e62c3aafbf7ca29e279809cce94556d2f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\G9464-tmp
    Filesize

    149KB

    MD5

    b433088a544ac4f2307108af859da646

    SHA1

    9ef08188ba1a20d2f0cb5a76435de75a11a57c14

    SHA256

    315ae503e54fc45b70f2c0c2567a9f40144f2ac0555f43be3e5106d2ca4da277

    SHA512

    db44bc16d5a97f9df662881070e32dcedf92d40658d42c6fd8b3efe26217100e4ca2b743c5243fd5ac81e98873cf7acad039d6b7de12ed9d13ee2df399166e3e

    Download Submit

  • C:\tmp.bat
    Filesize

    50B

    MD5

    61b10cda3503347e377a2a1dcc405aaa

    SHA1

    ec9a9a10d5fcdac2f3fd3ec84028d514cc2d753e

    SHA256

    cd5a8256b8245f171ffb50e6491ed6c245e84f2ad797ded49c0ee4994cd97de9

    SHA512

    f77ff0580b71a10ec1c912e6e32ca57678f825f6c70aa15016e5acde35ee947b11bf791c6f0ce1b1b5465bfb7625c5b2d8c4a75d5a07c6078e724140062a6994

    Download Submit

  • memory/2092-33-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2352-0-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download

  • memory/2352-44-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download