Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

275c70e2a2...18.exe

windows7-x64

8

275c70e2a2...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    94s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    08/10/2024, 23:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    275c70e2a2ab1a9717bbb65ae7dccb04_JaffaCakes118.exe

  • Size

    16KB

  • MD5

    275c70e2a2ab1a9717bbb65ae7dccb04

  • SHA1

    a42f864d2572a0bd3f13f372a362cba831a3c47f

  • SHA256

    e004869796ad51deac260c3b976c84e55faace26c1d13d4c45c7b77629d4481c

  • SHA512

    cdf391c4608406d76a95f745185556befc6dd4e2d1419b11085c77499b6310e0b4b30e5f3dcdaa93f713bc0617d8ca3f4e16b706a1578f8fc60f3d8010c25c97

  • SSDEEP

    384:mPW/Wz5VCGOuip4b8sGuuZ6a/uOoaeJdHzFCbe+z:MynJsGuTa/uOofHTFCbeM

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\275c70e2a2ab1a9717bbb65ae7dccb04_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\275c70e2a2ab1a9717bbb65ae7dccb04_JaffaCakes118.exe"
    1⤵
    • Sets service image path in registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:376
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\system32\del.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2800
  • C:\Windows\SysWOW64\B37588D4.EXE
    C:\Windows\SysWOW64\B37588D4.EXE -k
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    PID:2380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\B37588D4.EXE
    Filesize

    16KB

    MD5

    275c70e2a2ab1a9717bbb65ae7dccb04

    SHA1

    a42f864d2572a0bd3f13f372a362cba831a3c47f

    SHA256

    e004869796ad51deac260c3b976c84e55faace26c1d13d4c45c7b77629d4481c

    SHA512

    cdf391c4608406d76a95f745185556befc6dd4e2d1419b11085c77499b6310e0b4b30e5f3dcdaa93f713bc0617d8ca3f4e16b706a1578f8fc60f3d8010c25c97

    Download Submit

  • C:\Windows\SysWOW64\del.bat
    Filesize

    239B

    MD5

    739128b9c959fbafcef117ccbdec76b2

    SHA1

    16b30bbdab0dd309f9801dc92d1dd32c708f348d

    SHA256

    b565cd22f3cfde0c28ff5492d025b052470e5abed19f4494b53297e695c0f6b7

    SHA512

    1a567eee79b710e3f149a3939a3c8b59d10ad30787e35b036ba1cbbc09b1a914e657c3eba610e4504d6fdb2d8f717e6dbe48e1b9ec3735332852268bee6c3317

    Download Submit

  • memory/376-0-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/376-1-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/376-16-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2380-4-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2380-5-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2380-17-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download