Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

c56dc5ef9d...18.exe

windows7-x64

10

c56dc5ef9d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2024, 02:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c56dc5ef9db2e5c9ffce880b86885635_JaffaCakes118.exe

  • Size

    614KB

  • MD5

    c56dc5ef9db2e5c9ffce880b86885635

  • SHA1

    61c7583ca191c0dc69a99d95f403c7071d10981c

  • SHA256

    9f4f13431118ce4c4cbf0449526b4fdd2508dade1c3e89a2c4f71c3dbede3989

  • SHA512

    66c2f77ca2761134bf5a592076b28d46dbba23f047a596f74cd5f44a6cb64821aaa3748a60fae2258efbc679751f5e4b42de8971cf1e0aedfc916f465bd9aa73

  • SSDEEP

    12288:9BpbqB/sZL24qFPESlQ/YSb5y4j3CiikgwKkkANPgK0CxYPIrLowcPBtUfu/X2LU:9BpG/sx24quSl4Vb5XjSiDgRXANPgK3n

Score
10/10
metasploitbackdoordiscoverypersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

10.10.100.55:4444

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Loads dropped DLL 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 27 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c56dc5ef9db2e5c9ffce880b86885635_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c56dc5ef9db2e5c9ffce880b86885635_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\SysWOW64\wscript.exe
      wscript.exe "C:\Users\Admin\AppData\Local\Temp\revshell.vbs"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\revshell.vbs
    Filesize

    509KB

    MD5

    1c7cc32cc58fdc887b77cfee6f53e9f6

    SHA1

    e393ba48b94bc2493ae56523399e4f106faddc60

    SHA256

    7ed6e33e50efce8f8458ee672912961d5af21b5f24406f7129c752d36834d15b

    SHA512

    7468c90b63dbd5c6047db7d985332471c64c1252fdc997cc8bbe7426bd28e1927bb13c7b52ca3d65bf34ccda5ab99516b870fafd70c3a81e3d8a0590c7e3273e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\DynaWrap.dll
    Filesize

    15KB

    MD5

    0a9542085c0b6f8fff20fdff8c813117

    SHA1

    2db1ff2de9457163fb1a3b00293780a9775b2cb4

    SHA256

    6455942d67b95cefac77daf290a5ab690582637148d00e1381a51b6bf152a931

    SHA512

    f4373e382e26c81ba6773ec57d51059edf7822efc6a3610f94f5e0ab0b71e07d5bd27f51711202648d8faff47697e4b4a4b68e16d5be1ca287bb974bdd8f9e23

    Download Submit

  • memory/2124-5-0x0000000000110000-0x0000000000111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-8-0x0000000000110000-0x0000000000111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-7-0x0000000000110000-0x0000000000111000-memory.dmp

    Filesize

    4KB

    Download