Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

de7e7a22b3...18.exe

windows7-x64

10

de7e7a22b3...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 16:36 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de7e7a22b366757c46516465ea6df14b_JaffaCakes118.exe

  • Size

    496KB

  • MD5

    de7e7a22b366757c46516465ea6df14b

  • SHA1

    895db3dca07a4e7367a2e630903d6d363c759902

  • SHA256

    4fc46648cab12a5cbc3357321aa32b0148e8ebef7834f7303b97419dd747cffc

  • SHA512

    f65339cf8eff20433d3b6f9549bcf2da2a067e077ed3cbd87654e4ff7ad13d7f0c72249f9049dc973eb85b00b11b381e6c3300fac292e70f2de9c5062c87494d

  • SSDEEP

    12288:C0H5QI+2yR8PkGIHKJZOSwFykiQmlHSAca3zhSZkL/GDFnSoY:C0H5QeyR8PkGIHKbOSwFliSRadekASo

Score
10/10
metasploitbackdoordefense_evasiondiscoverythemidatrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Deletes itself 1 IoCs
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de7e7a22b366757c46516465ea6df14b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\de7e7a22b366757c46516465ea6df14b_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DE7E7A~1.EXE > NUL
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2276-0-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

    Download

  • memory/2276-1-0x0000000000401000-0x0000000000408000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2276-3-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.