Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

f02305330f...18.exe

windows7-x64

8

f02305330f...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 15:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe

  • Size

    76KB

  • MD5

    f02305330f50171aea1d900fdd34144a

  • SHA1

    67ae2532c017f9f29af6222a9d4fb03eb1a9469f

  • SHA256

    cba944cc84411c39ab131dbd0d0ba22d3056218ef853f539f053b634a896168f

  • SHA512

    2cfebed5d1fdb5ac341b0f0c3a329f3ecade064a844be91a6520ebfa12d7f3bf8be7b1bc7532a5edce9bd776c8f2c9debe59cd854bb5b2077bf829f977bffba0

  • SSDEEP

    768:PgRh4wyVqzzpZbvoJF9uR6/DmKKl4aNxvIaiYHaeXJR3GZKyy83Nu4iEMlzr:PgRh4wyVOby+RqKBI5bgGQyy89u4i/

Score
8/10
discoverypersistenceupx

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4112
    • C:\Program Files (x86)\Online Add-on\icthis.exe
      "C:\Program Files (x86)\Online Add-on\icthis.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:408
      • C:\Program Files (x86)\Online Add-on\icmntr.exe
        "C:\Program Files (x86)\Online Add-on\icmntr.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3188
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_off0.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1252

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Online Add-on\icmntr.exe
    Filesize

    7KB

    MD5

    e5f850e25e250fbc87103f3eee25b1b4

    SHA1

    4ff3917b536f7c26a9ee51cd250fc30be21717e6

    SHA256

    1be0d6ca5da55f6e7f267c1acf23cfc1a527860c531fc673463fcbbcace93761

    SHA512

    2316954836f147327f10d8fdcb09192f26124f90482f443f0c05dcb3bddd4da6504496cb606d1ff30f376e4ee0f88260fc083014022076d8503f008ed2fa831f

    Download Submit

  • C:\Program Files (x86)\Online Add-on\icthis.exe
    Filesize

    30KB

    MD5

    fb82652619fcc34ab4ff8e765f92eaee

    SHA1

    2534930fba03e3dbd7548499d6177e41f57632eb

    SHA256

    75e31e45e208bc67966789225744e1daeddd8772b731c1d1a6ee16a17e215bdf

    SHA512

    6cd3d8a36afee077b8bce695dde89e56cd02a24c9ac7c6e499ea58d8c0ca98b060d33785540f1913036f10a8f7049687b138f6367c793355287493b1b8ca4054

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_off0.bat
    Filesize

    302B

    MD5

    a6edeb26f4fda6f21dbe0cf682fd2289

    SHA1

    5aee3dd87eaebd696ac6aeb3f8f207abc4638db0

    SHA256

    cde6a1475402cd6fe9460069591e614ac9514b2cdfdc761d8459c1ead03870bd

    SHA512

    9cf587ac5741bf1d61ee1e91a26504f82c7b807a92f610036fd463ea104eb1e2affddbbcd893987b6ae4b6a93589a664e8e9caa4592ec4eadb589ffee1c555e7

    Download Submit

  • memory/3188-7-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3188-14-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download