Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

ea3c532579...18.exe

windows7-x64

7

ea3c532579...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea3c5325797dfbf413281cc20885581b_JaffaCakes118.exe

  • Size

    324KB

  • MD5

    ea3c5325797dfbf413281cc20885581b

  • SHA1

    e218c146cbda11e62f1111db31666c285144d1e5

  • SHA256

    4e8e7dde7d477a8fdc92801a07ad360a0dcb61b9b3b2b94821c5d1939510c50e

  • SHA512

    ec0c7394b50ff431b65dc51d45644f4809d190f6a09883d5b7fc8628cdd9fbcc8a1d506d587f4107b400d65c4fe438d974e71214305dcde29f55b174b5fcbd32

  • SSDEEP

    6144:g0ORT9A65pP1wlYgrN1y6V1X1RonMequ8+my5ET7a8IzYchYfUpDF:VCA65XwlYgrHy6V17kr8+m73a86nzpDF

Score
7/10
discoveryupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea3c5325797dfbf413281cc20885581b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea3c5325797dfbf413281cc20885581b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Users\Admin\AppData\Local\Temp\PIserver'.exe
      "C:\Users\Admin\AppData\Local\Temp\PIserver'.exe"
      2⤵
      • Executes dropped EXE
      PID:2564
    • C:\Users\Admin\AppData\Local\Temp\XYZ.exe
      "C:\Users\Admin\AppData\Local\Temp\XYZ.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\PIserver'.exe
    Filesize

    12KB

    MD5

    9d70a7247f7d47f7a51434da4efe0264

    SHA1

    e27c48bf7e34c7fc86a5899942fdc458024c6d70

    SHA256

    a4fcc801ad1734b1e977e45764fe3197b714a65b965c580d0ed31f7104d96837

    SHA512

    917ef9f6df11f7cef3d692383ca75de56efee5b01a7ebd03cd8165b95e4fb4d491bdb27b51e59ba7b6c9dec08168322a5eb5b0b99e6529091ec80b93facdeb9b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\XYZ.exe
    Filesize

    292KB

    MD5

    0e664fa74e2348b6af56b140b3f43583

    SHA1

    9460d91f80ba9a170b890ea03ea1653ad7a170bf

    SHA256

    d62cc922c2e5aee8621ef61a7ad2ec7ef1e6239ea73844df2d219af53886c140

    SHA512

    bce0e7dcd53cd7acbaa86a68735c0a5e02a3492543d1743cd4db22bc1b2e6bdc4063883d884f9929677061d741a1116f09e15c4eefd6cebf199b4995120c5b75

    Download Submit

  • memory/2088-16-0x0000000003060000-0x00000000030F8000-memory.dmp

    Filesize

    608KB

    Download

  • memory/2808-19-0x0000000000400000-0x0000000000498000-memory.dmp

    Filesize

    608KB

    Download

  • memory/2808-21-0x0000000000400000-0x0000000000498000-memory.dmp

    Filesize

    608KB

    Download

  • memory/2808-22-0x0000000000400000-0x0000000000498000-memory.dmp

    Filesize

    608KB

    Download

  • memory/2808-23-0x0000000000400000-0x0000000000498000-memory.dmp

    Filesize

    608KB

    Download

  • memory/2808-24-0x0000000000400000-0x0000000000498000-memory.dmp

    Filesize

    608KB

    Download

  • memory/2808-25-0x0000000000400000-0x0000000000498000-memory.dmp

    Filesize

    608KB

    Download

  • memory/2808-26-0x0000000000400000-0x0000000000498000-memory.dmp

    Filesize

    608KB

    Download

  • memory/2808-30-0x0000000000400000-0x0000000000498000-memory.dmp

    Filesize

    608KB

    Download

  • memory/2808-31-0x0000000000400000-0x0000000000498000-memory.dmp

    Filesize

    608KB

    Download

  • memory/2808-32-0x0000000000400000-0x0000000000498000-memory.dmp

    Filesize

    608KB

    Download

  • memory/2808-34-0x0000000000400000-0x0000000000498000-memory.dmp

    Filesize

    608KB

    Download