Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

086cdcecfb...18.exe

windows7-x64

10

086cdcecfb...18.exe

windows10-2004-x64

4

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 02:22 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    086cdcecfba4044398f361ff7fae0321_JaffaCakes118.exe

  • Size

    98KB

  • MD5

    086cdcecfba4044398f361ff7fae0321

  • SHA1

    adfc5437b1e240f6ae8a6e3b1b495e095d857207

  • SHA256

    a49f11e354c0edc509faea7b99a116a1ad402c72faa17a9354f7daaea6e03adb

  • SHA512

    fad5fce88ff8e7285998ad0fdd87048b5723ea338e84214e0fcd0a20ab8f065ca916c36badef17df69c8c388de19a994075d00d12ab6523144846f4cfd14c232

  • SSDEEP

    1536:fCJVWpuVbSn1BlTiQDaKts99iMfg3UzQkOv:fCJXOn7speUzQv

Score
10/10
discovery

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    griptoloji
  • Password:
    741852

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\086cdcecfba4044398f361ff7fae0321_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\086cdcecfba4044398f361ff7fae0321_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    PID:1708
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {1216C678-1EE7-4E41-95C9-AE280CCAC6FE} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Windows\Drv15\svchost.exe
      C:\Windows\Drv15\svchost.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:2760

Network

  • flag-us
    DNS
    ftp.tripod.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    ftp.tripod.com
    IN A
    Response
    ftp.tripod.com
    IN A
    209.202.252.54
  • flag-us
    DNS
    gripto.freehostia.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    gripto.freehostia.com
    IN A
    Response
  • flag-us
    DNS
    gripto.freehostia.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    gripto.freehostia.com
    IN A
  • 209.202.252.54:21
    ftp.tripod.com
    ftp
    svchost.exe
    300 B
     367 B
     6
    6
  • 209.202.252.54:21
    ftp.tripod.com
    svchost.exe
    190 B
     124 B
     4
    3
  • 8.8.8.8:53
    ftp.tripod.com
    dns
    svchost.exe
    60 B
     76 B
     1
    1

    DNS Request

    ftp.tripod.com

    DNS Response

    209.202.252.54

  • 8.8.8.8:53
    gripto.freehostia.com
    dns
    svchost.exe
    134 B
     113 B
     2
    1

    DNS Request

    gripto.freehostia.com

    DNS Request

    gripto.freehostia.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Drv15\svchost.exe
    Filesize

    35KB

    MD5

    460ce14d060cdedf74322faad7a02e8c

    SHA1

    fdc2e928718698c1be35f2f1b3218749a009d6d7

    SHA256

    a961740ca9fce24fbfe5122570e72dca89eef6028755b18267bfaa364a8db86d

    SHA512

    3ddfe4ad7ae1aa6805a2ae46481efa52bbfcefd69fe4e4e3f8a92edc713b8e05ccb2a2d70816be6ac60bbf58b1bab3872b02da2cf61e296a319b908d84fc0add

    Download Submit

  • C:\Windows\RLT6990\services.exe
    Filesize

    98KB

    MD5

    086cdcecfba4044398f361ff7fae0321

    SHA1

    adfc5437b1e240f6ae8a6e3b1b495e095d857207

    SHA256

    a49f11e354c0edc509faea7b99a116a1ad402c72faa17a9354f7daaea6e03adb

    SHA512

    fad5fce88ff8e7285998ad0fdd87048b5723ea338e84214e0fcd0a20ab8f065ca916c36badef17df69c8c388de19a994075d00d12ab6523144846f4cfd14c232

    Download Submit

  • memory/1708-0-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1708-3-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2760-7-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2760-9-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2760-17-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.