Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

ef871e5764...18.exe

windows7-x64

7

ef871e5764...18.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    143s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21/09/2024, 09:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef871e57648e41d689ec183bbb284aeb_JaffaCakes118.exe

  • Size

    150KB

  • MD5

    ef871e57648e41d689ec183bbb284aeb

  • SHA1

    16b22129e7539103a86e098d1386c65b21c343e8

  • SHA256

    7dd6fb56478fb16407bc2ae78c4f8f9af67b5f6af08d03ab615f0525f7f26b53

  • SHA512

    9a7d94e4c0e460e7fd47f8cbbe069b483f9df0ab85808ce49b5e4778e45a84c4819dac8167afa65b55850bd9b5ca58036b5b4c9129d2030d8415983ae34a35e4

  • SSDEEP

    3072:tL24ZN+vUASh/z1eITA1AcSg8o5ezHFO2fqt5XTBKCqJmzwBVL:t62+0sITA6zq54HHfsBTB1q0c

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:332
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:852
  • C:\Users\Admin\AppData\Local\Temp\ef871e57648e41d689ec183bbb284aeb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ef871e57648e41d689ec183bbb284aeb_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Windows\explorer.exe
      00000080*
      2⤵
      • Deletes itself
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system32\consrv.DLL
    Filesize

    52KB

    MD5

    c7570a7e24b29ee04a48c2c99da2587b

    SHA1

    b6e3635a8de44b1635e8d362ac131e14281feb24

    SHA256

    717cd7661c09701ee39c505d8b604ea3dd6c1151ef18e7ed1cab3832552ac34b

    SHA512

    57479d2f5386ace8cc5e5ed543e6ad2c2b7b58accc849807d804a8cf0d03080f328f7b42442422fa1483a01ad473ca302f9eca97b9eb24e699e22db56641c572

    Download Submit

  • \??\globalroot\systemroot\assembly\temp\@
    Filesize

    2KB

    MD5

    d342acaf1d47450dd2f065bb0511591b

    SHA1

    cf9626de13a8b14b2f026722eeba52af83b367c5

    SHA256

    ea5d5e5062070b7aafea9191d07c542583bc69c6122224a43b1191329b056edf

    SHA512

    cc77008befc286d945a22e3a39328aad4da59a42b13d79ead162a8e772fcff88ffaaf549c44644ea56a8a74a138cee3f65660fc35287371991bf015d90abf6f9

    Download Submit

  • memory/332-27-0x0000000000E60000-0x0000000000E72000-memory.dmp

    Filesize

    72KB

    Download

  • memory/332-23-0x0000000000E60000-0x0000000000E72000-memory.dmp

    Filesize

    72KB

    Download

  • memory/332-24-0x0000000000E60000-0x0000000000E72000-memory.dmp

    Filesize

    72KB

    Download

  • memory/852-41-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/852-38-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/852-47-0x00000000003A0000-0x00000000003A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/852-48-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/852-29-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/852-39-0x00000000003A0000-0x00000000003A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/852-37-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/852-33-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2420-2-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

    Download

  • memory/2420-3-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

    Download

  • memory/2420-0-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

    Download

  • memory/2420-4-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

    Download

  • memory/2420-1-0x0000000000403000-0x0000000000404000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2764-12-0x0000000000130000-0x0000000000149000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2764-17-0x0000000000130000-0x0000000000149000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2764-5-0x0000000000060000-0x0000000000075000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2764-7-0x0000000000130000-0x0000000000149000-memory.dmp

    Filesize

    100KB

    Download