Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

cf84c8aede...18.exe

windows7-x64

7

cf84c8aede...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 12:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf84c8aede92faa9b7134ae63ac03a2a_JaffaCakes118.exe

  • Size

    789KB

  • MD5

    cf84c8aede92faa9b7134ae63ac03a2a

  • SHA1

    61f0b9f975063528a6621409584c5a05856914e0

  • SHA256

    fe8e0b671b60b6f26685fea0c7a0d54470b216abe2a5d3e107b2911bb94070ba

  • SHA512

    3a5f15fc422846f0e4dc48e68351c2aecb12507e250c0c8ac7c2baa79e2cc5d925b91a18d5a38e202a37acfed0e81d141cc7d7f91dc7924c5e5a8b75266c3abc

  • SSDEEP

    24576:yL32XfDqmqkKS6cfNfNIN4jp3DZPtq/h:yL32vDqgKrujpzZ1q/h

Score
7/10
discoveryevasiontrojan

Malware Config

Signatures

  • Loads dropped DLL 8 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf84c8aede92faa9b7134ae63ac03a2a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cf84c8aede92faa9b7134ae63ac03a2a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\system32\MSWINSCK.OCX
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3492
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\system32\MSCOMCTL.OCX
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:4876
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\system32\TABCTL32.OCX
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3984
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\system32\MSINET.OCX
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:4836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\MSCOMCTL.OCX
    Filesize

    1.0MB

    MD5

    f7bbb7d79adb9e3adc13f3b3c33d3d4d

    SHA1

    cacb4b31d22419e6a9ddbffcf61ae42da0d5fb8a

    SHA256

    18a83d7a420a17fcb6f56eb3ba5362c975d32e5ded7553c6fd407f07bdb7b006

    SHA512

    4870ddbdf283d7f7f64d3f4bf556600a78804f6a94fc2ca7eb778e85d70b6d2d017aa35cbddf773b6a1b6d9a2813cd67fe54ede7859050a254a3e3c05616ae0e

    Download Submit

  • C:\Windows\SysWOW64\MSINET.OCX
    Filesize

    112KB

    MD5

    7bec181a21753498b6bd001c42a42722

    SHA1

    3249f233657dc66632c0539c47895bfcee5770cc

    SHA256

    73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

    SHA512

    d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

    Download Submit

  • C:\Windows\SysWOW64\MSWINSCK.OCX
    Filesize

    105KB

    MD5

    9484c04258830aa3c2f2a70eb041414c

    SHA1

    b242a4fb0e9dcf14cb51dc36027baff9a79cb823

    SHA256

    bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

    SHA512

    9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

    Download Submit

  • C:\Windows\SysWOW64\TABCTL32.OCX
    Filesize

    204KB

    MD5

    2bae02cd88d9ef0c03bdab250904f802

    SHA1

    ff421bffb17f2dafdf028a198ed6e540e0c8dce9

    SHA256

    76f99cb0983a76385e55dca92577bb53de488aafdf0d6ffcbe03ec5fa85d15c5

    SHA512

    faed7f90b18bdacc68e44a145e81be967cac163d44cbfef6ec32d36b53c7ae57d3b8e7a5526c0d6f97226c19432c70c390068d505ed69c6f4ceaa9e63dda745e

    Download Submit

  • memory/2700-0-0x0000000000400000-0x0000000000671000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2700-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2700-5-0x00000000001C0000-0x00000000001C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2700-4-0x0000000000400000-0x0000000000671000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2700-31-0x0000000000400000-0x0000000000671000-memory.dmp

    Filesize

    2.4MB

    Download