Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...4f.exe

windows7-x64

10

JaffaCakes...4f.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/01/2025, 05:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe

  • Size

    2.8MB

  • MD5

    142cce6c8e06744bc0cbd5425c309f4f

  • SHA1

    16c16dcc37cf688cdbc96c9e3be126e06a4a3942

  • SHA256

    3b31c8cce7b8a24dd175a06ffd23aa21a2eb37415fe8a7b0876ecb8865f6a9fc

  • SHA512

    b42b832bad0130af5b4e104883e92d87c647fd55a8ee166cf761632ab5b6ee43a0afea8622f133df73defcf86326e109d17cb523c47e9deb5964e5c5a9f805c1

  • SSDEEP

    49152:/2W7bHP6W59tEEz3R/N9KZV8ora4hkz4HVXZ4:eov6Stpz35OZCj4hkz41J

Score
8/10
discoverypersistenceupx

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3356
    • C:\Windows\SysWOW64\AV Protection 2011v121.exe
      C:\Windows\system32\AV Protection 2011v121.exe 5985C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3104
      • C:\Users\Admin\AppData\Roaming\mCekIBrzPyAuDoF\AV Protection 2011v121.exe
        C:\Users\Admin\AppData\Roaming\mCekIBrzPyAuDoF\AV Protection 2011v121.exe 5985C:\Windows\SysWOW64\AV Protection 2011v121.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2920
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\ahst.lni
    Filesize

    610B

    MD5

    891845a5b531a311c5dab9c70c066aca

    SHA1

    c1f5753eb31b0a93fca09412f3f933b2f3d61aae

    SHA256

    3bbfb5ab81caa81fa836396bec96aff05529d76107144cffc2267ca4436c09c7

    SHA512

    a0fbe9d32bbbc9d6c2645381ec503968c449e42b5b5646a28e2d12fc44e9d6ec2cc49febf4c92a038d75a307638098a67671cea6c887d242885eb49cecddea09

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ahst.lni
    Filesize

    1KB

    MD5

    7f78d527a535a70e1ac5dec146ac2827

    SHA1

    52c5fb68b73d65c168cf17778db32212eeb92855

    SHA256

    33f3ae5e39a5823ab63e83a0290c6c4fcc6c7d5a548a61a289150a9a2d37c7a3

    SHA512

    0bf2126fdea689247b3454fba8199097e3da97ca9f16c2b923e333eba5e199372f5b1aaeb240ff63ea6b5ccdf939d4b870ed71bb52ed780597e3b72d45a7b598

    Download Submit

  • C:\Windows\SysWOW64\AV Protection 2011v121.exe
    Filesize

    2.8MB

    MD5

    142cce6c8e06744bc0cbd5425c309f4f

    SHA1

    16c16dcc37cf688cdbc96c9e3be126e06a4a3942

    SHA256

    3b31c8cce7b8a24dd175a06ffd23aa21a2eb37415fe8a7b0876ecb8865f6a9fc

    SHA512

    b42b832bad0130af5b4e104883e92d87c647fd55a8ee166cf761632ab5b6ee43a0afea8622f133df73defcf86326e109d17cb523c47e9deb5964e5c5a9f805c1

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    873d3a8615c58ab97e3ab961298f44bb

    SHA1

    f7f01fdb2204da24b5635dac70908c767529dcef

    SHA256

    670f1b79bd41b74bb50efc4bd8e6ed3924e53596ab019fbbc8320ebc8e0d1768

    SHA512

    2bf1ffba638413d88758706b12ec074204176ea171c41ab34f19f11df02dfaa05b10c7511dba680bf5016213bb69031367acef10fd324c0c7f65c82e28b9f8ef

    Download Submit

  • memory/2920-107-0x0000000000400000-0x0000000000918000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2920-96-0x0000000000400000-0x0000000000918000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2920-150-0x0000000000400000-0x0000000000918000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2920-139-0x0000000000400000-0x0000000000918000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2920-118-0x0000000000400000-0x0000000000918000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3104-17-0x0000000000400000-0x0000000000918000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3104-18-0x0000000000400000-0x0000000000918000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3104-24-0x0000000000400000-0x0000000000918000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3104-13-0x0000000000400000-0x0000000000918000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3356-12-0x0000000000400000-0x0000000000913000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3356-1-0x0000000000400000-0x0000000000918000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3356-0-0x0000000002740000-0x0000000002B4E000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/3356-5-0x0000000000400000-0x0000000000918000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3356-4-0x0000000000400000-0x0000000000913000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3356-11-0x0000000000400000-0x0000000000918000-memory.dmp

    Filesize

    5.1MB

    Download