Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

fbecaa43ac...18.exe

windows7-x64

10

fbecaa43ac...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/09/2024, 08:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbecaa43ac450bf17b689d0707f341bf_JaffaCakes118.exe

  • Size

    78KB

  • MD5

    fbecaa43ac450bf17b689d0707f341bf

  • SHA1

    c200ce005761304797a78e958c24180af6ad6a4b

  • SHA256

    bec83c3e7d62b03c97a513743815fb8958fcbc9a95c707a87486732bb361f964

  • SHA512

    8f7d1fc716c1d21b9238b7564acc5083ab6b768464d17f6aaaf0e996866d6571396a3b9bc77d922cf39711f3298f002d3d75d50daa356dcf90cfbdbce1bb3e96

  • SSDEEP

    1536:dZ78xGwt6pv1aD0sTeVtYe1R3dDtqQm47I+8VSdh65CnlEet93ORqw:dZ7KGwt4dAXi3dBHm47IjtZAoRqw

Score
10/10
discoveryevasion

Malware Config

Signatures

  • Modifies security service 2 TTPs 22 IoCs
    evasion
  • Executes dropped EXE 10 IoCs
  • Drops file in System32 directory 22 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs .reg file with regedit 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbecaa43ac450bf17b689d0707f341bf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fbecaa43ac450bf17b689d0707f341bf_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4644
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\a.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Windows\SysWOW64\regedit.exe
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        3⤵
        • Modifies security service
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:3424
    • C:\Windows\SysWOW64\nod32i.exe
      C:\Windows\system32\nod32i.exe 1016 "C:\Users\Admin\AppData\Local\Temp\fbecaa43ac450bf17b689d0707f341bf_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\a.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3084
        • C:\Windows\SysWOW64\regedit.exe
          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
          4⤵
          • Modifies security service
          • System Location Discovery: System Language Discovery
          • Runs .reg file with regedit
          PID:1028
      • C:\Windows\SysWOW64\nod32i.exe
        C:\Windows\system32\nod32i.exe 1172 "C:\Windows\SysWOW64\nod32i.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:432
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c c:\a.bat
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1724
          • C:\Windows\SysWOW64\regedit.exe
            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
            5⤵
            • Modifies security service
            • System Location Discovery: System Language Discovery
            • Runs .reg file with regedit
            PID:5000
        • C:\Windows\SysWOW64\nod32i.exe
          C:\Windows\system32\nod32i.exe 1144 "C:\Windows\SysWOW64\nod32i.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2312
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c c:\a.bat
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4384
            • C:\Windows\SysWOW64\regedit.exe
              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
              6⤵
              • Modifies security service
              • System Location Discovery: System Language Discovery
              • Runs .reg file with regedit
              PID:4624
          • C:\Windows\SysWOW64\nod32i.exe
            C:\Windows\system32\nod32i.exe 1140 "C:\Windows\SysWOW64\nod32i.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:760
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c c:\a.bat
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3480
              • C:\Windows\SysWOW64\regedit.exe
                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                7⤵
                • Modifies security service
                • System Location Discovery: System Language Discovery
                • Runs .reg file with regedit
                PID:1396
            • C:\Windows\SysWOW64\nod32i.exe
              C:\Windows\system32\nod32i.exe 1148 "C:\Windows\SysWOW64\nod32i.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2432
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c c:\a.bat
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:544
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  8⤵
                  • Modifies security service
                  • System Location Discovery: System Language Discovery
                  • Runs .reg file with regedit
                  PID:2628
              • C:\Windows\SysWOW64\nod32i.exe
                C:\Windows\system32\nod32i.exe 1152 "C:\Windows\SysWOW64\nod32i.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:220
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c c:\a.bat
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:1400
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    9⤵
                    • Modifies security service
                    • System Location Discovery: System Language Discovery
                    • Runs .reg file with regedit
                    PID:912
                • C:\Windows\SysWOW64\nod32i.exe
                  C:\Windows\system32\nod32i.exe 1156 "C:\Windows\SysWOW64\nod32i.exe"
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:4456
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c c:\a.bat
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1944
                    • C:\Windows\SysWOW64\regedit.exe
                      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                      10⤵
                      • Modifies security service
                      • System Location Discovery: System Language Discovery
                      • Runs .reg file with regedit
                      PID:5088
                  • C:\Windows\SysWOW64\nod32i.exe
                    C:\Windows\system32\nod32i.exe 1160 "C:\Windows\SysWOW64\nod32i.exe"
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    PID:4704
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c c:\a.bat
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:5000
                      • C:\Windows\SysWOW64\regedit.exe
                        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                        11⤵
                        • Modifies security service
                        • System Location Discovery: System Language Discovery
                        • Runs .reg file with regedit
                        PID:1624
                    • C:\Windows\SysWOW64\nod32i.exe
                      C:\Windows\system32\nod32i.exe 1164 "C:\Windows\SysWOW64\nod32i.exe"
                      10⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      PID:4988
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c c:\a.bat
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:5064
                        • C:\Windows\SysWOW64\regedit.exe
                          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                          12⤵
                          • Modifies security service
                          • System Location Discovery: System Language Discovery
                          • Runs .reg file with regedit
                          PID:5084
                      • C:\Windows\SysWOW64\nod32i.exe
                        C:\Windows\system32\nod32i.exe 1168 "C:\Windows\SysWOW64\nod32i.exe"
                        11⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        PID:4860
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c c:\a.bat
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3084
                          • C:\Windows\SysWOW64\regedit.exe
                            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                            13⤵
                            • Modifies security service
                            • System Location Discovery: System Language Discovery
                            • Runs .reg file with regedit
                            PID:4992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    2KB

    MD5

    e6d8af5aed642209c88269bf56af50ae

    SHA1

    633d40da997074dc0ed10938ebc49a3aeb3a7fc8

    SHA256

    550abc09abce5b065d360dfea741ab7dd8abbe2ea11cd46b093632860775baec

    SHA512

    6949fc255c1abf009ecbe0591fb6dbfd96409ee98ae438dbac8945684ccf694c046d5b51d2bf7679c1e02f42e8f32e8e29a9b7bdbc84442bec0497b64dfa84cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    3KB

    MD5

    558e454bc2d99d7949719cf24f540dd2

    SHA1

    e9c772bcee4ae780cdc28b0b4876385639e59b39

    SHA256

    677ec2cfe2ae99352aa12ac658d01a7bb0b51cf3cd2c568e94a78754326ca43a

    SHA512

    5bb10dcf81ccab0b7e2274d3ccdbda5a38014576096fef71725cfa6e16a4bfd29f481f3bc5ad15426fb9918eeca67fff11291a88caf10974433214674c1c1b64

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    748bce4dacebbbd388af154a1df22078

    SHA1

    0eeeb108678f819cd437d53b927feedf36aabc64

    SHA256

    1585c9ef77c37c064003bd746cd0a8da2523c99a10c3fb6eabd546e2a343646a

    SHA512

    d9756851b4aa1108416b7a77f0c6b84b599d695850d704a094a1f83b322d892ab6706001d5322e876b93935b830bcb52a951b4c69004ea2be338f64b85be2ea1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    a437192517c26d96c8cee8d5a27dd560

    SHA1

    f665a3e5e5c141e4527509dffd30b0320aa8df6f

    SHA256

    d0ec3ddd0503ee6ddae52c33b6c0b8780c73b8f27ca3aadc073f7fa512702e23

    SHA512

    f9538163b6c41ff5419cb12a9c103c0da5afbfe6237317985d45ff243c4f15ee89a86eab2b4d02cbda1a14596d2f24d3d1cdf05bb3e5fd931fbe9be4b869aa41

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    3KB

    MD5

    9e5db93bd3302c217b15561d8f1e299d

    SHA1

    95a5579b336d16213909beda75589fd0a2091f30

    SHA256

    f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

    SHA512

    b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    895301bce84d6fe707b5cfd50f1f9f97

    SHA1

    50a012f59655621768f624c4571654145663c042

    SHA256

    b2c6435e83784b85e7f4bdd4568bd954029caac9f5795e3111ae75db0f9874d4

    SHA512

    a75188afa7c01959bcbf7b832d92d0134072eecd3dd58d6179bc626024d4c9593cadc5cf9ab00deb3824853df003a0a73c84b60cefbdcb6944d216534ea7ffc4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    2299014e9ce921b7045e958d39d83e74

    SHA1

    26ed64f84417eb05d1d9d48441342ca1363084da

    SHA256

    ee2b1a70a028c6d66757d68a847b4631fc722c1e9bfc2ce714b5202f43ec6b57

    SHA512

    0a1922752065a6ab7614ca8a12d5d235dfb088d3759b831de51124894adae79637713d7dee2eb87668fa85e37f3ba00d85a727a7ba3a6301fbf1d47f80c6a08f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    2KB

    MD5

    5da7efcc8d0fcdf2bad7890c3f8a27ca

    SHA1

    681788d5a3044eee8426d431bd786375cd32bf13

    SHA256

    7f142c13b7039582d0f10df0271f0e1feea35760a92bf0c5034f444066c92df8

    SHA512

    6e3281f2350c524f9c24ab4455d4c5a109875ead35a35aba3c085d90f99cbc64c6645dfcb805d7a5e670869e67feb481a655305236be8d716347a7c4696a358b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    2KB

    MD5

    5575ef034e791d4d3b09da6c0c4ee764

    SHA1

    50a0851ddf4b0c4014ad91f976e953baffe30951

    SHA256

    9697ec584ef188873daa789eb779bb95dd3efa2c4c98a55dffa30cac4d156c14

    SHA512

    ecf52614d3a16d8e558751c799fde925650ef3e6d254d172217e1b0ed76a983d45b74688616d3e3432a16cec98b986b17eaecd319a18df9a67e4d47f17380756

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    851B

    MD5

    a13ff758fc4326eaa44582bc9700aead

    SHA1

    a4927b4a3b84526c5c42a077ade4652ab308f83f

    SHA256

    c0915178e63bf84c54e9c942b5cc80327c24d84125042767d7e1e2ef3e004588

    SHA512

    86c336086a1d0ca689e133df8e3c3ec83eeef86649dbf8b9d367c3e543358ad54f69d1a20d56c56200e294f22b2741186db0f359051159b4e670d3e9b5861842

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    2KB

    MD5

    294976e85ad11a45853f99c1b208723f

    SHA1

    8d83101d69420b5af97ec517165d849d3ab498fc

    SHA256

    04fe02d621f3d9853840b27476da4a191fc91592a77632f9cf85d4ef0370acff

    SHA512

    e8193036e0e411afe75c1e23f9ce1a7f32d1297706cdd0d99c20375dd7a2bdfb23cc550015852f36816668f0d085042afe74fcfff294f90854ea70f3b929a9d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    2KB

    MD5

    d5e129352c8dd0032b51f34a2bbecad3

    SHA1

    a50f8887ad4f6a1eb2dd3c5b807c95a923964a6a

    SHA256

    ebdaad14508e5ba8d9e794963cf35bd51b7a92b949ebf32deef254ab9cdd6267

    SHA512

    9a3aa2796657c964f3c3ff07c8891533a740c86e8b0bebb449b5a3e07e1248d0f6608e03d9847caf1c8bff70392d15474f2954349869d92658108515df6831c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    2KB

    MD5

    f8a9a1aa9bab7821d25ae628e6d04f68

    SHA1

    c3e7a9ccc9805ae94aabfd16e2cb461fde3fae5a

    SHA256

    76ee7c489d11427af94d0334368ef2ed44df4a74984ffd4022c9ea9fae9c41fb

    SHA512

    0fb3a29367fa3c3eb36c6a7e9ff217ccdd7cce18309964aa7068a00f500ea4ea49588344ebbc52ae77d83e5042c3fdb84f56fa1dae07b8bb774aed6fffd18c0a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    5002319f56002f8d7ceacecf8672ce25

    SHA1

    3b26b6801be4768cc7582e29bc93facdf2a74be3

    SHA256

    f23f4854d17525744e8028db6dde6eb7d5d664b0ee1b08870c9c01b639e0124c

    SHA512

    8eae0fabc7f5a7e452abacf988a3632874c556af409da5e60c5e529524732b40f22d4e1d860ccceae87642875c819fc8a8120eceaabd25861f920c8c066a9aef

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    849B

    MD5

    558ce6da965ba1758d112b22e15aa5a2

    SHA1

    a365542609e4d1dc46be62928b08612fcabe2ede

    SHA256

    c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb

    SHA512

    37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

    Download Submit

  • C:\Windows\SysWOW64\nod32i.exe
    Filesize

    78KB

    MD5

    fbecaa43ac450bf17b689d0707f341bf

    SHA1

    c200ce005761304797a78e958c24180af6ad6a4b

    SHA256

    bec83c3e7d62b03c97a513743815fb8958fcbc9a95c707a87486732bb361f964

    SHA512

    8f7d1fc716c1d21b9238b7564acc5083ab6b768464d17f6aaaf0e996866d6571396a3b9bc77d922cf39711f3298f002d3d75d50daa356dcf90cfbdbce1bb3e96

    Download Submit

  • \??\c:\a.bat
    Filesize

    5KB

    MD5

    0019a0451cc6b9659762c3e274bc04fb

    SHA1

    5259e256cc0908f2846e532161b989f1295f479b

    SHA256

    ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

    SHA512

    314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

    Download Submit