Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

fdc0d4c589...18.exe

windows7-x64

7

fdc0d4c589...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    84s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/09/2024, 03:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdc0d4c58978e14ddc2d271efa4a6cf3_JaffaCakes118.exe

  • Size

    189KB

  • MD5

    fdc0d4c58978e14ddc2d271efa4a6cf3

  • SHA1

    bfd610bfe9b780132eca6f0e35db20dbad2cfb13

  • SHA256

    9bf69d7e82b52d77284b7581b5c01f454f2148df6fa13e7cb1e738a3424cebec

  • SHA512

    5702fa68df775a7fe08adf759a0a8025886dd94191d5e55cdc650733acc88675601ca072de8b14ce81efeb177c128657dbf1c8874f90506d3eb757c45941b209

  • SSDEEP

    3072:cGGFOyZjhZt6ePQT0FN0cyVlIjBS/0n0tTg4U0B/QO6GpUbdBDnB2+JHg+MgITvR:rGvZtrYTeNFyVwS/0n0t0p0NpoBDBp1

Score
7/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Unexpected DNS network traffic destination 8 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:476
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\fdc0d4c58978e14ddc2d271efa4a6cf3_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\fdc0d4c58978e14ddc2d271efa4a6cf3_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2132
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:2936

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \systemroot\Installer\{88c21f95-7915-71b8-b315-ca0acbeb53e8}\@
      Filesize

      2KB

      MD5

      68cf938c99487ef9715c316c0da07cdb

      SHA1

      35299245b3b24d9c9f9557157811f0206468e672

      SHA256

      c53e64b5282f72e7ce6609085c3c30e2ceb52ade7f3c4f3e24daba19ddf8f75f

      SHA512

      00d21585358a43d813df7baa61436f0ad01e7fbd299d091a64f043a6826db309f29d0831705f2dbcfe49f461a45154cee45ed5db4c55b6d13ada8e206818b181

      Download Submit

    • memory/476-30-0x0000000000140000-0x000000000014F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/476-39-0x0000000000140000-0x000000000014F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/476-25-0x0000000000130000-0x000000000013F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/476-31-0x0000000000140000-0x000000000014F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/476-29-0x0000000000130000-0x000000000013F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1212-6-0x0000000002ED0000-0x0000000002EDF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1212-15-0x0000000002EB0000-0x0000000002EBC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1212-17-0x0000000002EE0000-0x0000000002EEF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1212-14-0x0000000002ED0000-0x0000000002EDF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1212-16-0x0000000002EE0000-0x0000000002EEF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1212-37-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1212-10-0x0000000002ED0000-0x0000000002EDF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/2132-3-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2132-2-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2132-35-0x000000000042A000-0x0000000000432000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2132-36-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2132-1-0x000000000042A000-0x0000000000432000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2132-0-0x0000000000220000-0x0000000000221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2132-42-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download