Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

12939b3590...18.exe

windows7-x64

8

12939b3590...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2024, 08:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe

  • Size

    226KB

  • MD5

    12939b3590d5aa3b4d8b50048e1955ca

  • SHA1

    2f993fb018435f5365ef558f90ad6357a0bcf5e6

  • SHA256

    8309eb9ecbfe0e5dca5070d94649340cf0406baedb940eeb062113f14fe30e58

  • SHA512

    0552f17cd25692fa6a5ee4dcecbe2abea8de7e503969d7bbf036b2694bcf950cadcb4d2e10cd6b6156dd4a9acdf18b202cfb8e7e4c4a82998853d50c927dc24b

  • SSDEEP

    3072:RAatf04xOIhMDy3EsLVqRwlKYNrsp6mpehe6beTSOJ8os9PHt4RSF:5tfrxOUMD0IMxe6bpOWP6cF

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1128
      • C:\Users\Admin\AppData\Local\Temp\12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aACD3.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2988
          • C:\Users\Admin\AppData\Local\Temp\12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2792
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1548
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2120
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2168

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\$$aACD3.bat
      Filesize

      614B

      MD5

      a7a02cf1315aabfd3313a12c57735629

      SHA1

      ab3f797070c3340e8400cfeef51c156bda28baae

      SHA256

      a7899964fef439991176d6ccfdc86ee5c8b60e11a5fade1f88209000c0c6f95c

      SHA512

      4c633e18fad5481af31e0fa1c0cfe2adf1c07b8baf916b63ba3bf5e7e378b1e9ad58d62df5393d1c55f75bdcbdfee514fb4a202ffbeb8ca2638e24b9a2dd2c4c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe.exe
      Filesize

      161KB

      MD5

      80da5ee61048975f77fde0b59c44dc37

      SHA1

      8e34a677aec9b0b1686cff1dd5ac2d3d6af242da

      SHA256

      bbc0eae226926b29c3e8e1ea629e612726cd358c5984cc45e4bdcd6f49be93bb

      SHA512

      0188c8bdf324ce701d55eac4208d23a63ca40fa9b4d72f0e3c38d6fb92f10e1c5c25fa3798e2f91962e0e7d5147d7e4d3de0103e6960ffaea34e0ec6c0fd2fae

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      65KB

      MD5

      eed3b320cc57e0063bf83ad293477a03

      SHA1

      45d74dac2b5412f7bcc9e4f2ed729b5c853a7521

      SHA256

      6343d379414c5ac16232a7f9399b7712deb2676bc0c521d358b09270f9949ff3

      SHA512

      5901802a1c6b214ec2c35e2cdc46e3acac4bf3d6c22deca413827e88ccaad0d83984966045741fe8fef800b8394e6fde9921502be8c1429a2984ae0fe12beb57

      Download Submit

    • memory/1128-22-0x00000000024D0000-0x00000000024D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1548-27-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1548-33-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1548-25-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1548-26-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1548-256-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1548-28-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1548-29-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1548-30-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1548-31-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1548-32-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1548-24-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1548-34-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1548-35-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1960-13-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

      Download