Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 07:59
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_0a69060bb1b7b314a9613c4eb2af33e8be28b0d9ccfcd7a0581288fe43cd05ba.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_0a69060bb1b7b314a9613c4eb2af33e8be28b0d9ccfcd7a0581288fe43cd05ba.exe
-
Size
329KB
-
MD5
b0e287b49e8dcda8c13c6485611da3d9
-
SHA1
b3fdc643db4aa7b1f33120068f3554779bf33654
-
SHA256
0a69060bb1b7b314a9613c4eb2af33e8be28b0d9ccfcd7a0581288fe43cd05ba
-
SHA512
daaa678e8297adb99b1081d013447811d2c48a2444c53ff671393dbbf5482e6f34d57484bb61dd6a2afaa1c1636323c39ca2e61adf2b582d916d1ca4616b1ffb
-
SSDEEP
6144:qM9HlLfe+Oaj1dU9y6WYW+UHr0pqrgSBaYAjmJ:qM9HljjOapdb6i+cIpIlJ
Malware Config
Extracted
gcleaner
45.139.105.171
85.31.46.167
107.182.129.235
171.22.30.106
-
url_path
....!..../software.php
....!..../software.php
Signatures
-
Gcleaner family
-
Program crash 9 IoCs
pid pid_target Process procid_target 1376 5112 WerFault.exe 84 4648 5112 WerFault.exe 84 1188 5112 WerFault.exe 84 544 5112 WerFault.exe 84 2148 5112 WerFault.exe 84 2104 5112 WerFault.exe 84 2488 5112 WerFault.exe 84 4484 5112 WerFault.exe 84 4484 5112 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0a69060bb1b7b314a9613c4eb2af33e8be28b0d9ccfcd7a0581288fe43cd05ba.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5112 JaffaCakes118_0a69060bb1b7b314a9613c4eb2af33e8be28b0d9ccfcd7a0581288fe43cd05ba.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a69060bb1b7b314a9613c4eb2af33e8be28b0d9ccfcd7a0581288fe43cd05ba.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a69060bb1b7b314a9613c4eb2af33e8be28b0d9ccfcd7a0581288fe43cd05ba.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:5112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 4522⤵
- Program crash
PID:1376
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 7642⤵
- Program crash
PID:4648
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 7642⤵
- Program crash
PID:1188
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 7962⤵
- Program crash
PID:544
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 8362⤵
- Program crash
PID:2148
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 9282⤵
- Program crash
PID:2104
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 9322⤵
- Program crash
PID:2488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 10722⤵
- Program crash
PID:4484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 8002⤵
- Program crash
PID:4484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5112 -ip 51121⤵PID:3284
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5112 -ip 51121⤵PID:1304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5112 -ip 51121⤵PID:3288
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5112 -ip 51121⤵PID:4840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5112 -ip 51121⤵PID:4328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5112 -ip 51121⤵PID:4904
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5112 -ip 51121⤵PID:4684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5112 -ip 51121⤵PID:4316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5112 -ip 51121⤵PID:4296