Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

fd0269ca5f...18.exe

windows7-x64

7

fd0269ca5f...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/09/2024, 19:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd0269ca5f7b66eeb24bf3626e6cd738_JaffaCakes118.exe

  • Size

    3.3MB

  • MD5

    fd0269ca5f7b66eeb24bf3626e6cd738

  • SHA1

    8d170f2efbd12612f020f2580058f156f673b874

  • SHA256

    2e6720122888bbca4d7d9a52e2ff6576a1cd0b228e1e28bb2af95445cfaf48f4

  • SHA512

    627349700d65a1d7c9d0510b2d23144695cf963016e3f9e791e3ad5160d6976f3f6c903f16f34c6f3b9bc1ef11f3792179d7b7dc65de01b1fbed76f4ff3992c3

  • SSDEEP

    49152:Czsy4VsUGTzLUvmqEFKSmCIo5qOC8Ro4SdK5z9rGOT6ixTgFdT+6+jkgNoYs2imF:nzGTzLUOKw21Cz9rGC6ixk+Ljkp17

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd0269ca5f7b66eeb24bf3626e6cd738_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fd0269ca5f7b66eeb24bf3626e6cd738_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4492
    • C:\svchost.exe
      "C:\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4484
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 2216
        3⤵
        • Program crash
        PID:4836
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4484 -ip 4484
    1⤵
      PID:1184

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp53DD.Exe
      Filesize

      96KB

      MD5

      16ea8b59f4ba4f5a61fe1b8cd6050c94

      SHA1

      d1b6f248a30595b05110c5b693d2c9a6a494c9cf

      SHA256

      531c7fe97c6825b0aa2298fda4d4da836cc4e6028a423b05c55bb6b3669aae5c

      SHA512

      5fb879e60a91743e6f58ee565dfe909a576bd4ea9061ee816746283086ea5df6f2a6bfb5178a99555b73fc86b50c6104bce79c5beec97eef1e7e23cd96c7ccd6

      Download Submit

    • C:\svchost.exe
      Filesize

      3.1MB

      MD5

      029198ad184b5316c5f294817cc41011

      SHA1

      4aa0d4bf45b91d7773ae6446e6b9eb54348dbe1a

      SHA256

      354856d93fc3b5b6a8cf2a7f9ae99073797805033588ff7c4ed8495adc317b92

      SHA512

      bc5634128a0b1c6383ca2fba120a14507553dc184d9fb51cd4de8db02e50199b394bcc1cf6bf2309c1f0d241c52a247c0c86d1f814de0432099d1bd3b4ecd7df

      Download Submit

    • C:\ts.dll
      Filesize

      3KB

      MD5

      ab62f36cc469c34fd1b86ebf3eb19aa3

      SHA1

      2a70b2793949c3aabbde738c60ece2c52b3f9445

      SHA256

      67d34ac4df536192e5529b1f98547180f225ef83ca810d087c8f0324324edfa7

      SHA512

      35f84161062f1d7cabbf069e2638819168da2993432566d1b369ed0fca82cafe884ea560fada129b6c4d629ef61bfbff2368d54c8dccd75416e65671e30733ee

      Download Submit

    • memory/4484-35-0x0000000001031000-0x0000000001032000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4484-34-0x0000000001030000-0x0000000001033000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4484-33-0x0000000000400000-0x0000000000776000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/4484-48-0x0000000001030000-0x0000000001033000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4484-49-0x0000000000400000-0x0000000000776000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/4492-50-0x0000000000400000-0x000000000074C000-memory.dmp

      Filesize

      3.3MB

      Download