Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

eab4ea5c7e...18.exe

windows7-x64

7

eab4ea5c7e...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 05:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe

  • Size

    3.5MB

  • MD5

    eab4ea5c7ebd0271f2f8b0e27ec91961

  • SHA1

    3ecad10c9de1c5f5ef8eb10c95af01f69f61edae

  • SHA256

    b4ed6d871e7ba08ec4c99e0923268f531c14da34b4c178e0740f2c1e8a204fcb

  • SHA512

    0da3644baf6a5b1fe50e48e6de694216f80a125be02aaa18dba1f454bb85e88ce04f8dd23321e609113f5c45671823752930d02e26e37c61e4eb0b3e1ef3d9a9

  • SSDEEP

    98304:2mGJ64NQWdEB+x28el/WRv0BJC6eypFOKdNVPstYyShZvp+76J4:2mYnU+08ecWCHOFOKdDUtlmyZ

Score
7/10
discoverypersistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Creates a Windows Service
    persistence
  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3140
    • C:\Users\Admin\AppData\Local\Temp\Temp\SD1.4.0.672_Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Temp\SD1.4.0.672_Setup.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5076
      • C:\Users\Admin\AppData\Local\Temp\7z7BFE73D4\Setup.exe
        C:\Users\Admin\AppData\Local\Temp\7z7BFE73D4\Setup.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Users\Admin\AppData\Local\Temp\7z7BFE73D4\Setup_x64.exe
          "C:\Users\Admin\AppData\Local\Temp\7z7BFE73D4\Setup_x64.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4640
          • C:\Users\Admin\AppData\Local\Temp\7z782DB220\Setup.exe
            C:\Users\Admin\AppData\Local\Temp\7z782DB220\Setup.exe
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Suspicious use of SetWindowsHookEx
            PID:1376
    • C:\Users\Admin\AppData\Local\Temp\Temp\QQ.exe
      "C:\Users\Admin\AppData\Local\Temp\Temp\QQ.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3432
  • C:\Program Files (x86)\Microsoft Auqauy\Esseeg.exe
    "C:\Program Files (x86)\Microsoft Auqauy\Esseeg.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5024
    • C:\Program Files (x86)\Microsoft Auqauy\Esseeg.exe
      "C:\Program Files (x86)\Microsoft Auqauy\Esseeg.exe" Win7
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:1344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7z782DB220\Setup.exe
    Filesize

    906KB

    MD5

    4cd89312146f921fd08d5f285852023b

    SHA1

    56eb14ebe14f367a69084a79943e4f74eb8d5b2d

    SHA256

    d632e9d4875b1bdeeddcb1b87cc459b50089db100306ab9303b763d1ec4a9593

    SHA512

    1a6af621aa617d690e73f986c3801ce6f70ad3509c8763f5c80c502d57c46bf37c7990c997846558ce590ce41ba54e7f5a95faf51ed4d32200e4ab90fe4ad25b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7z7BFE73D4\Setup.exe
    Filesize

    114KB

    MD5

    b453cd30e5a8883f2f88856fef990abd

    SHA1

    6a0fc0a9d41837c04fe9b3f1f4094677d86f6c0a

    SHA256

    e0682dae2bbc0a3a77238cab0a17a4b1831238a4ed5ea9504617aa8b0cc0b2cb

    SHA512

    12938a16537622a8cf1ebb1e8c45e099e408fe4e6e3fe369137d794237e4930f6c65a551f25175f5b6502a8868316686212dc3303be950518c53e0bd260113ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7z7BFE73D4\Setup_x64.exe
    Filesize

    2.1MB

    MD5

    ccf8d4eec6390047289b31806535829b

    SHA1

    b4f90305821e9adc4b72c0b25591ec8b42437565

    SHA256

    de18d093fdd684c4a0fea28d74c3902f0f70297ce4b23a671fc8a3f5d2319703

    SHA512

    3776e59f351e6a7c11d6bce450c5d40770cefe977a09af30367be9aebae30211058644026b509dd9c075bda1fc98469d07d5b949981df7e86e615296667a0ac8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Temp\QQ.exe
    Filesize

    208KB

    MD5

    6677db1cde1b22640181e907c75c12e1

    SHA1

    5abd23d739e99e411dec8f7f6a4b931491170c53

    SHA256

    c98c15e681d7f7e0e06173560476a5a8546699dfc8f85c505a794423076247af

    SHA512

    40073ce2715ff28eeaa521365804f0bb8c864f930f026b8528f619ca58d9febdf5f7e1088ce9139343294afbc650523501f81064c32fd40f21a26f4ed7dbdefe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Temp\SD1.4.0.672_Setup.exe
    Filesize

    3.3MB

    MD5

    d948dd85b8edb5391a5e04e274533558

    SHA1

    775aa63441a1ad26699b33bb8646006376fbdf35

    SHA256

    b4e7960ef248b8a35f8cd33962dae252e33d177822c9e8dbf40fdfbfe9e2e850

    SHA512

    34720a095d22733c57c47f5b37ff7171c9cf1c1654d9c759640baa84cca3f77cae032706d323363c25421c959decb49cd441dcada30195bc0cacce1281f06d61

    Download Submit

  • memory/1344-92-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1344-84-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1376-90-0x0000000140000000-0x00000001400E9000-memory.dmp

    Filesize

    932KB

    Download

  • memory/1376-79-0x0000000140000000-0x00000001400E9000-memory.dmp

    Filesize

    932KB

    Download

  • memory/3140-25-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3140-0-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3432-32-0x0000000010000000-0x000000001000F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/3432-83-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3432-23-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5024-89-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

    Download