Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

43f80c13eb...18.exe

windows7-x64

7

43f80c13eb...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2024, 20:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43f80c13eba1c24db5b886b1ef80171f_JaffaCakes118.exe

  • Size

    23KB

  • MD5

    43f80c13eba1c24db5b886b1ef80171f

  • SHA1

    628c306f413540ef61ac46ba99265743ed775c62

  • SHA256

    06cce93a2695dd6f4d3ac92cbe2570ceea5d780e316c1e62f2c4786db3c72236

  • SHA512

    e009479cf1328a212c009f50a575d1f3eee978443399e498dea0a313847d5ab76aca3fa2098883aa6b1264931238971145ee2f4df5675398aea0cca3408060cc

  • SSDEEP

    384:UsyIO9nHedQMvezk0xmIGz0+/o/PaMM8u8f/axPYzzAWiw4gdbdBMD6uI6loA:kj84frG4+OCVa/axmViwFdBMOuIE

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43f80c13eba1c24db5b886b1ef80171f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\43f80c13eba1c24db5b886b1ef80171f_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3224
    • C:\Windows\csrss.exe
      C:\Windows\csrss.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer Protected Mode
      PID:972
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2384
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4692
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4616
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4616 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2188
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4616 CREDAT:17418 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1904
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4616 CREDAT:17422 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M6JHG9EK\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\temp.bat
    Filesize

    260B

    MD5

    0e8c07b9d848d921dbced195ac9e2a29

    SHA1

    9af3d3994d8d9b349ad9751bf07df6a69b95b151

    SHA256

    f9937154dd4c95af3541c0c500a6ee9cd74e41e82bfc9fe091cf48bda166d04d

    SHA512

    f2dc479df6998e954cfbd6ab0ac3c33cc67953eae94085dd5dce6c0edc3de03e8e0924428cbe8d0e012193e019f024ea7b0f0ae753aedce71d2d3e8e0586975b

    Download Submit

  • C:\Users\Admin\AppData\Local\n.ini
    Filesize

    37B

    MD5

    1ad60c455a9b5e58d5a0b93577094275

    SHA1

    884e0d8a99f453440b8f172c271f301e10862c98

    SHA256

    06528e003ef037734f0697b4900bc9ee570bc5fec0edf9bc60b1131293581e58

    SHA512

    9674964002e688be9f6dd079e8a3d7c6b5cb80d0422c8ca0f4af36653c2d0718e27ad9c10146b07c6bedaa5c20b09360ad786efdcd26a9cda6e8c8eb4970442a

    Download Submit

  • C:\Users\Admin\AppData\Local\n.ini
    Filesize

    65B

    MD5

    e29b8b5f9b14cbee53bfa89edeaf1428

    SHA1

    38d08ffd4a99fb9e8153754787f23c424bc3d6f4

    SHA256

    7e69619337ee4e978b11c90c5a5625d0c5e7b1ed5d275cd99804cee02bb998f7

    SHA512

    baa41df8d2579caa8d7f25733a2ca4435d07432da7326b6891737b4dc476d4fa20754a48c7b42d9e9d493d62f3c2dfa224498c904a54b1ce6bdabe9f85968c63

    Download Submit

  • C:\Users\Admin\AppData\Local\n.ini
    Filesize

    8B

    MD5

    2b0af526f63f53b600f44563dea495bf

    SHA1

    c68d07460fb7357661084c5790adaef44f5148fe

    SHA256

    d014253c7851b8e9a19405bdf737091240167361bc281a5affdf78052bd6d549

    SHA512

    11c9b6d4396e86622bd7394c113e2fa49a9de800927f5229f63ace7b2589bb69512c1f523471b7c6c558a4124dc8adb33f80c521a5afeb94085a37ee61af17c0

    Download Submit

  • C:\Users\Admin\AppData\Local\n.ini
    Filesize

    65B

    MD5

    aea58a670a3574f3e0a8d65d8a569ee4

    SHA1

    fb6557c24d3674ea1f9069976e23c15c5ffcd708

    SHA256

    56a534cd0bace3a6e359061d663eb2bdc9d929dddd728fdceddfc4768b16095a

    SHA512

    1dacccfb6eaa2e408bc57d58b911cf5f91e44be725c41bf92295ca8c1df0d622ce8cc4e92e8afd532769361e4ab0c174cb795815587c4380227b9b27b55fa078

    Download Submit

  • C:\Windows\csrss.exe
    Filesize

    23KB

    MD5

    43f80c13eba1c24db5b886b1ef80171f

    SHA1

    628c306f413540ef61ac46ba99265743ed775c62

    SHA256

    06cce93a2695dd6f4d3ac92cbe2570ceea5d780e316c1e62f2c4786db3c72236

    SHA512

    e009479cf1328a212c009f50a575d1f3eee978443399e498dea0a313847d5ab76aca3fa2098883aa6b1264931238971145ee2f4df5675398aea0cca3408060cc

    Download Submit

  • memory/972-21-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/972-1012-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3224-24-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3224-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3224-8-0x0000000000560000-0x0000000000561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3224-1-0x0000000000560000-0x0000000000561000-memory.dmp

    Filesize

    4KB

    Download