Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

5

2f483a8a46...18.exe

windows7-x64

8

2f483a8a46...18.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 10:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f483a8a46ecda53c0b6ee21865aa368_JaffaCakes118.exe

  • Size

    62KB

  • MD5

    2f483a8a46ecda53c0b6ee21865aa368

  • SHA1

    8d97ddc6050f98ffdcf4a7806354935eb5034b47

  • SHA256

    e135dd0c8e04cfed36a4390b61900120b14e45f9eb4b4a5e7238189d298538b5

  • SHA512

    a612c5a493da9ed95114ad0de1b00a81e1de3424c29c3e12df9b6f574d13a4327540d1155cf3af090c3abba5f2be4c39df4db51d4b9898c55320359e7bd748cd

  • SSDEEP

    1536:vgz2AGSLu4gcby+19QcS/uzbxN2oToN/dLaHQfxyNfG4WZg:oKWLuhoy+bQz2zbioIFawfxIL6

Score
8/10
discoveryevasionpersistenceprivilege_escalationupx

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f483a8a46ecda53c0b6ee21865aa368_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2f483a8a46ecda53c0b6ee21865aa368_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" firewall set allowedprogram program = "C:\Windows\CSC\explorer.exe" name = "Explorer" mode = ENABLE scope = ALL profile = ALL
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:472
    • C:\Windows\CSC\explorer.exe
      "C:\Windows\CSC\explorer.exe" C:\noexistfile.txt
      2⤵
      • Executes dropped EXE
      PID:1384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\CSC\explorer.exe
    Filesize

    62KB

    MD5

    2f483a8a46ecda53c0b6ee21865aa368

    SHA1

    8d97ddc6050f98ffdcf4a7806354935eb5034b47

    SHA256

    e135dd0c8e04cfed36a4390b61900120b14e45f9eb4b4a5e7238189d298538b5

    SHA512

    a612c5a493da9ed95114ad0de1b00a81e1de3424c29c3e12df9b6f574d13a4327540d1155cf3af090c3abba5f2be4c39df4db51d4b9898c55320359e7bd748cd

    Download Submit

  • memory/1384-24-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2484-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2484-1-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2484-10-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2484-18-0x0000000002A60000-0x0000000002A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2484-22-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download