Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2fd4b0ca4c...18.exe

windows7-x64

7

2fd4b0ca4c...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    93s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 10:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe

  • Size

    3.8MB

  • MD5

    2fd4b0ca4c98b737c59da79e1a59f4d0

  • SHA1

    5eff241c9499924963e6e8034e4a86946991ba85

  • SHA256

    c54f41b90d6cbfa8a8590423642daad2d9804ec8d8cf03a27e2ef4cd1c8b7fbe

  • SHA512

    d210736b5e7ad586154651d252d0c0b871073bdeab683ffa618a39db73d9f58e7de1aa8da67457c2acdfce8d99e361ca3e1dd9309da8319f27c5e576446eae0f

  • SSDEEP

    98304:/SjSLLHz89pCdxkeQv+LT7trNfnxpApzenk7O:/SFIG+ZhZpA9hq

Score
7/10
discoverypersistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Users\Admin\AppData\Local\Temp\~DP7ADD.exe
      "C:\Users\Admin\AppData\Local\Temp\~DP7ADD.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\winlogon.exe
        C:\Windows\winlogon.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:1288
    • C:\Users\Admin\AppData\Local\Temp\~DP7C16.exe
      "C:\Users\Admin\AppData\Local\Temp\~DP7C16.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~DP7ADD.exe
    Filesize

    120KB

    MD5

    7de4d379ef630e064788ebd8f7a62fca

    SHA1

    84e672f7bf9224a0f52518c93226c027a2465b25

    SHA256

    152958ed713f7f7b2bf5e49165425c87a867c8d23c7ca874e5a6e0a629436395

    SHA512

    b60c420d143853b0b1bcc63e235f3c6018b8db77cb2b709fa0faffe7b31640a51c842b9fd797511eb19dde0bbd7b0e91cdda908026ae520be64da6184cb2fbbb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~DP7C16.exe
    Filesize

    3.6MB

    MD5

    02179af0725062fada76dc9f2f58e629

    SHA1

    64c92392e72ffb3740081a96983966e8ef52c84a

    SHA256

    82133b9c92dc054457669d645e380483bb3a12b7d5d36d37b2efe570ff25a41e

    SHA512

    5f70cfa32388f322bee038892a88fa20b2e7d1e0c80cd8300417e8c104ca28408845d4142129b9035e0bc9f26568a450712ef0c3170837c850c6f9ee8dcc18d7

    Download Submit

  • memory/1288-27-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1788-21-0x0000000000400000-0x00000000007CB000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2112-9-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2112-25-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2536-20-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2536-30-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download