Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0b2cf9abc1...18.exe

windows7-x64

10

0b2cf9abc1...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    112s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 14:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b2cf9abc1b88e6db894191bdae4a95f_JaffaCakes118.exe

  • Size

    259KB

  • MD5

    0b2cf9abc1b88e6db894191bdae4a95f

  • SHA1

    22c2765d188b5e1780fdd732a361fbd732e8441e

  • SHA256

    34f30c88f787108b49a07c2f36ffae92d8c337dfdaeaf4266683c711832a06e1

  • SHA512

    b660f78cc3e1064094060c868cac14e01909d2f1e9cfedc032ebc62df49f562bbee0702c7ad00db987db7bd951cfe5fd2992e604ad17746f4e271a992ddd64f6

  • SSDEEP

    6144:uSaBurd4ixUO3crX87b09HVVw+YOEB/gSlK7KOwb2:V/mybcQXUm+YOe2wb2

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 22 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Unexpected DNS network traffic destination 11 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 22 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NTFS ADS 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b2cf9abc1b88e6db894191bdae4a95f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b2cf9abc1b88e6db894191bdae4a95f_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Sets service image path in registry
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Google\Desktop\Install\{df1a425b-aff8-7a3e-8255-85ec0105cb73}\ \...\‮ﯹ๛\{df1a425b-aff8-7a3e-8255-85ec0105cb73}\@
    Filesize

    2KB

    MD5

    e9583687fdb1522ee75a3ccc9d77ec18

    SHA1

    81963d263a50e15b4b2047a6f458e0805bc32f6d

    SHA256

    d3c29b2b88e10a2ddf01d98d6e0d7ea2395d36fcb27c49afee7472eb4bd7c048

    SHA512

    4a469b07284ae76b77a10ab338e8716fd709c1cb4800b9619e1a7af9263bd10bfb426456e439e93b10b2c4e74094084b002dee5de74098a55e0999c7cd691a98

    Download Submit

  • memory/472-13-0x0000000000130000-0x0000000000141000-memory.dmp

    Filesize

    68KB

    Download

  • memory/472-11-0x0000000000130000-0x0000000000141000-memory.dmp

    Filesize

    68KB

    Download

  • memory/472-12-0x0000000000130000-0x0000000000141000-memory.dmp

    Filesize

    68KB

    Download

  • memory/472-15-0x0000000074FE0000-0x0000000074FE3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1184-3-0x0000000002A60000-0x0000000002A71000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1184-9-0x0000000074FE0000-0x0000000074FE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1184-8-0x0000000002A60000-0x0000000002A71000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1184-4-0x0000000002A60000-0x0000000002A71000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1184-19-0x0000000002A60000-0x0000000002A71000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2364-10-0x0000000000260000-0x0000000000281000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2364-0-0x0000000000040000-0x0000000000084000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2364-2-0x0000000000040000-0x0000000000084000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2364-17-0x0000000000260000-0x0000000000281000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2364-1-0x0000000000040000-0x0000000000084000-memory.dmp

    Filesize

    272KB

    Download