Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

df18462d63...18.exe

windows7-x64

10

df18462d63...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 23:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df18462d6309efb5454fecdf3df709ce_JaffaCakes118.exe

  • Size

    350KB

  • MD5

    df18462d6309efb5454fecdf3df709ce

  • SHA1

    1caa5c2a2bcdc6b8282c971f197ff7df78352e11

  • SHA256

    2b47a07b4a577bb57598402cbb7adb06a2cfae0c6f2bb212d7c9957687fe0445

  • SHA512

    8466a90e49ea0e1916e493208aeb736bfd30e53908a63a9f54bb7ffdc6430abf4fb54ca901cade1893a3c3b243465378212d4d1e17fcb7e0ed3c626d884dc6d6

  • SSDEEP

    6144:hqs/AV1rl6ahtdKGFXnxdS8NnaopyJLn1KT2z99X5kdT8Z0BwG9bM6Zyj:hbS6qtEGFXxHaopwtEwWbvZyj

Score
10/10
discoveryevasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 8 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df18462d6309efb5454fecdf3df709ce_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\df18462d6309efb5454fecdf3df709ce_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 320
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\autorun.inf
    Filesize

    126B

    MD5

    163e20cbccefcdd42f46e43a94173c46

    SHA1

    4c7b5048e8608e2a75799e00ecf1bbb4773279ae

    SHA256

    7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

    SHA512

    e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

    Download Submit

  • C:\zPharaoh.exe
    Filesize

    157KB

    MD5

    1d41a5f316625d256f29e1e684a991c0

    SHA1

    778b7820ead5f4f851ab64c09b262a3e333a9af8

    SHA256

    16ef36832582aa652f2759ffda2d3e93e68fc9c99e2b8944097d1c8779a52c58

    SHA512

    62c7024bee263dc5d0f05915d173e2105c248f1714a7587c898b121e94f759edd115423186bd57587a4d03ee068ec1e66ace8168f390ad5265917b8cfa8c87e0

    Download Submit

  • F:\zPharaoh.exe
    Filesize

    157KB

    MD5

    affb55aac0ea10ee2a1249ff1cdd8764

    SHA1

    b3fdc784ca4601b6270c731f5415d7faede75279

    SHA256

    20232080e61191e52023341a2d4e419d77741e9f06af7df8631a4073d73a5057

    SHA512

    96be8823c9a5271da727a3921b1e1a2c60063a0ea6dd4d2c4f3cf06e31c5b892c5b8035d2cb72ec3d5a8776125b578b2a844862f7df20beb9e119420f96c609a

    Download Submit

  • \Users\tazebama.dl_
    Filesize

    157KB

    MD5

    f1168c92deffda2770b089b1c9d6bcaa

    SHA1

    8f7ab68589cdf1d18c7f1176c620edbaea8ccbca

    SHA256

    420b3717e14fe7537d3672caa622a084532eb453e249d6d121766da6f35fd01e

    SHA512

    7c79513a80ae68076f21402117aa0f28755f64fdb36038cc1cf7c6e4144fc5de7bea1fc277f6c48baf81d009e936c7f321be23bc80586d9afdd83edbfd778645

    Download Submit

  • \Users\tazebama.dll
    Filesize

    32KB

    MD5

    b6a03576e595afacb37ada2f1d5a0529

    SHA1

    d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

    SHA256

    1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

    SHA512

    181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

    Download Submit

  • memory/1744-13-0x0000000000403000-0x000000000040F000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1744-11-0x00000000003D0000-0x00000000003E8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1744-12-0x00000000003D0000-0x00000000003E8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1744-0-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

    Download

  • memory/1744-55-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

    Download

  • memory/1744-56-0x00000000003D0000-0x00000000003E8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2452-15-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2452-57-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download