Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

fdc0d4c589...18.exe

windows7-x64

7

fdc0d4c589...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2024, 03:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdc0d4c58978e14ddc2d271efa4a6cf3_JaffaCakes118.exe

  • Size

    189KB

  • MD5

    fdc0d4c58978e14ddc2d271efa4a6cf3

  • SHA1

    bfd610bfe9b780132eca6f0e35db20dbad2cfb13

  • SHA256

    9bf69d7e82b52d77284b7581b5c01f454f2148df6fa13e7cb1e738a3424cebec

  • SHA512

    5702fa68df775a7fe08adf759a0a8025886dd94191d5e55cdc650733acc88675601ca072de8b14ce81efeb177c128657dbf1c8874f90506d3eb757c45941b209

  • SSDEEP

    3072:cGGFOyZjhZt6ePQT0FN0cyVlIjBS/0n0tTg4U0B/QO6GpUbdBDnB2+JHg+MgITvR:rGvZtrYTeNFyVwS/0n0t0p0NpoBDBp1

Score
7/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3536
      • C:\Users\Admin\AppData\Local\Temp\fdc0d4c58978e14ddc2d271efa4a6cf3_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\fdc0d4c58978e14ddc2d271efa4a6cf3_JaffaCakes118.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3448

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3448-1-0x000000000042A000-0x0000000000432000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3448-0-0x00000000004D0000-0x00000000004D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3448-2-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3448-3-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3448-8-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3448-9-0x000000000042A000-0x0000000000432000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3536-4-0x00000000028C0000-0x00000000028C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3536-7-0x0000000000560000-0x000000000056C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3536-10-0x00000000028C0000-0x00000000028C1000-memory.dmp

      Filesize

      4KB

      Download