Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

f5acf31c5f...18.exe

windows7-x64

7

f5acf31c5f...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/09/2024, 09:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe

  • Size

    385KB

  • MD5

    f5acf31c5f763e0a4747106ba8ed8969

  • SHA1

    62559ed2f44d2899fba04e814f3d9298966dab11

  • SHA256

    cdcb185faf0dc11374112bad5bbbefbcf21086d4e168a9bd6c37a5221a5040b8

  • SHA512

    d3c597e541a1aca46d022d9babc330591eaf88af33e1404ee0d9ef8c3ac1190bc2d629f58bb218ebfa5034c4878ca9b39eda315fe9002edfc4f56bb23eb4a69c

  • SSDEEP

    12288:7kWAehJuqT4qkn6Hv12hgbUNKMUGJsIHATYeX:7kWAAuqkqTzcKMU4nHC

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Users\Admin\AppData\Local\Temp\wanst.exe
      "C:\Users\Admin\AppData\Local\Temp\wanst.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Users\Admin\AppData\Local\Temp\i.exe
        "C:\Users\Admin\AppData\Local\Temp\i.exe" -pwr
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2464
        • C:\Users\Admin\AppData\Local\Temp\f.exe
          "C:\Users\Admin\AppData\Local\Temp\f.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:908
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            5⤵
            • System Location Discovery: System Language Discovery
            PID:684
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\webengine.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\webengine.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5000
            • C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
              "C:\Users\Admin\AppData\Local\Temp\MSBuild.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:964
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4896
        • C:\Users\Admin\AppData\Local\Temp\cres.exe
          "C:\Users\Admin\AppData\Local\Temp\cres.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3964
    • C:\Users\Admin\AppData\Local\Temp\tibiacast_3_0_38.exe
      "C:\Users\Admin\AppData\Local\Temp\tibiacast_3_0_38.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3260

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cres.exe
    Filesize

    44KB

    MD5

    7d0c385b70aaf0cc90753409ef113763

    SHA1

    1d9c314fda8e10b144d5a99bb7a1c4be1b51be7d

    SHA256

    67bcb70ec124d342f1581114d0368fead96158a148cf8da05c0207f404fb4a7b

    SHA512

    5efd3ce53d7445423fe7b0ade2080a7cdf79e42b6fe01871be623833394f41607c874b05a8bef0b792d934e24413a3f89aaebc648294c35668d30c5d07f9ebee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\f.exe
    Filesize

    98KB

    MD5

    df69062cc95628560fe90f40759be1f1

    SHA1

    ec1dfb0ca85753129e8bab94d83137ab70eb5bea

    SHA256

    aa798d45ed5c948fef634e0a8fe1893ca1f68569a52b41bf4152231b334ea382

    SHA512

    2d87b6e753bc5b94590d02c35504aef1b95d6c9db866bcdee738a7c2f10fd68370f80b07c75ed285e5c3da9c77f46f0b6f7b8f69316856a1f75f8a172af40aa1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\i.exe
    Filesize

    183KB

    MD5

    50f5edc93e9565a0dcc86a1b1bbf22df

    SHA1

    158af3b4d8a442e9b3778f01d4ae8f8ea92783c9

    SHA256

    bb7e3f6c0ebe2720e2e79bc9a6972aec7722a48807799d7b76282e36dfd54182

    SHA512

    7ba6c28261d3f26894121f1fb670cce16df99a8c91fc796c3ca0c9c8df91475d4f3ffc9dcb08d2611f6881a86f75120abec3ceb394011d2ae61cdb3b7e013af1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tibiacast_3_0_38.exe
    Filesize

    257KB

    MD5

    bccdae521b71140a50bf633cb184e801

    SHA1

    db01324fd4b3fe558a70f740465a1605e0fd14aa

    SHA256

    d7570dfba348316b29f21ccd4e33ad2611869b2278cc3965cc66e4866f1bf993

    SHA512

    6547a63f7e7c1a66dd507fe1bc6cc6b03a9df15f5e3ab371ce95dbaf45dbc70a748927cabdfe3a2ca3427b8e99d9dbd7c0f5bd6ee9a0ef3f58bd594d058d56ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wanst.exe
    Filesize

    232KB

    MD5

    c3fda9f623a64602ebb02d5cdbc39648

    SHA1

    598d8ebd6a63b405fd80db20457499ddc51c0071

    SHA256

    67a992609c637d8b416734ca1077e975015ab3bcf16f19b375e22c5878be07bc

    SHA512

    b1db4cb2b59d5306da9c4eb8ba091c9e32276046671dce3b9e994acd7e87bbd1a99ca18ed63156f59886f37e0f4a5df6613f2332103b7a952a4e095544f44eaf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\webengine.exe
    Filesize

    8KB

    MD5

    8117d80b0e093b8a22808439e98f8438

    SHA1

    95e85605a119569be1171e738ab1933d72b4d4ac

    SHA256

    e1d07433984dc20260f212e464fcdd75e0cca098b4c40d9d940ad71995e74699

    SHA512

    bef89879f3b5e3b9a3cad130ef33ca6d9a6b55e0b47dd6c47fd94efb343bf9b5d904bdccc52e2416ac68d12a1077102a2015fd8c9f92defcb83514f0d10e06a3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\f0w8uhy98yur9c8qy38cy82yrc280quafu89uya89dh\f0w8uhy98yur9c8qy38cy82yrc280quafu89uya89dh.txt
    Filesize

    29B

    MD5

    af624ec478d796f3e708453ffc23d96a

    SHA1

    5bc437a06da06b6e228590d1c472d51dcfbc2701

    SHA256

    6c2477e2514e0fa35d850996d343c1af9cee9b8b34559f63df403b3df03cbb8a

    SHA512

    8f2dc710c72edbfc01ca3ae706221c0594183819e61d7cf14fbe03e720123694af072100469845bf05849bbd7d983b5933eddc2963a079d607c65c6511384407

    Download Submit

  • memory/684-58-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/684-59-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/684-60-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3260-32-0x0000000073410000-0x00000000739C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3260-28-0x0000000073410000-0x00000000739C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3260-21-0x0000000073412000-0x0000000073413000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3260-80-0x0000000073412000-0x0000000073413000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3260-81-0x0000000073410000-0x00000000739C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3260-82-0x0000000073410000-0x00000000739C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3964-72-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download