Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

3caa54444e...18.exe

windows7-x64

7

3caa54444e...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 23:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3caa54444e29063eb3e316ba20ca9e83_JaffaCakes118.exe

  • Size

    19KB

  • MD5

    3caa54444e29063eb3e316ba20ca9e83

  • SHA1

    2ce5d9186b70d77808115e2cd2df3a5d09a59b90

  • SHA256

    7ca4e6020511294fcfcf503eb985db51513fa8fa294f45ef7112fd061acd7955

  • SHA512

    1155ccdc913b55a7ab444ab20441c5522e89fc705a35790ca84c9c1193d97262a1b1b489d392e0c31b84ff916fba02b269e4f3944bfea0d443ec16e764f17ffe

  • SSDEEP

    384:jxNR77zN0w638TNFTBs16QCzOcg9FgGJV4EFdYHuwETKUgPZ9bMt5vAxVqxkeOlS:jxN17zn66W2zONFgS4aay

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3caa54444e29063eb3e316ba20ca9e83_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3caa54444e29063eb3e316ba20ca9e83_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4080
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat""
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:688
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" ver"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3008
      • C:\Windows\SysWOW64\find.exe
        find /i "XP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2008
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" if errorlevel1 ctty nul | if not errorlevel1 exit"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2072
      • C:\Windows\SysWOW64\find.exe
        find /v /i "[windows]"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1268
      • C:\Windows\SysWOW64\find.exe
        find /v /i "load="
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1048
      • C:\Windows\SysWOW64\find.exe
        find /v /i "run="
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4624
      • C:\Windows\SysWOW64\find.exe
        find /v /i "NullPort="
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2484
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 mouse,disable
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1008
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 keyboard,disable
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2040
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\d
    Filesize

    92B

    MD5

    23cf8138f49416231807e6de371fb9e6

    SHA1

    973672eeae5a05447e47395cde37e8121b7c90fe

    SHA256

    6b3d6e268dcb76e175a7db3d9e031349ab2c32654c7e57581a851e64dd6214ab

    SHA512

    42ae18a96645289cb0246d545daa955d2fb0784993726414d0bc723dfb58b33cf11bb6b62ba7f5a3765e0c6c5713e8a02cd63638877ca032b82d4806e79950cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat
    Filesize

    5KB

    MD5

    08ba7299e46ff5ce240cc4443f978254

    SHA1

    962bcaf1a40c9e64ce4255304308a45415307108

    SHA256

    694bec51824f93182e9a88eca05c8d5d12709c657e176799747f45c39f259da9

    SHA512

    a8012d1f46ca28b04bbdf104904de437d4ceca992d4d0a9094b2d1094c7ad0f05612668727a85a33593acf7b2fb7d8d01b578ca56fd9bd30c69eb20eb2a82389

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat
    Filesize

    146B

    MD5

    88381f6a43477c19636c8c4a3507467b

    SHA1

    ee5b1692a1e2cdaab427ee6b439a3863af194c7a

    SHA256

    43f4d0929ad9829357a007818d770887a8985ee09ddb8b2dd1df240deeaf5a0a

    SHA512

    9693b61fa6d89044870be79376f8423447fc0f9ba1d2c99352a19f2b246901cfd7fd36d0f549f269d01131ff2f8b7d6a8864e723278c2d0ac61e72c0e3c12b25

    Download Submit

  • memory/4080-0-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/4080-22-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download