Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

f1d4115609...18.exe

windows7-x64

7

f1d4115609...18.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...sh.dll

windows7-x64

1

$PLUGINSDI...sh.dll

windows10-2004-x64

1

$PLUGINSDI...ss.dll

windows7-x64

3

$PLUGINSDI...ss.dll

windows10-2004-x64

3

$TEMP/~nsi...86.dll

windows7-x64

1

$TEMP/~nsi...86.dll

windows10-2004-x64

3

Cloud-Web_2_86.dll

windows7-x64

6

Cloud-Web_2_86.dll

windows10-2004-x64

6

Cloud-Web_2_86.dll

windows7-x64

6

Cloud-Web_2_86.dll

windows10-2004-x64

6

Cloud-Web_...86.dll

windows7-x64

1

Cloud-Web_...86.dll

windows10-2004-x64

1

Cloud-Web_...86.dll

windows7-x64

1

Cloud-Web_...86.dll

windows10-2004-x64

1

Cloud-Web_...86.dll

windows7-x64

1

Cloud-Web_...86.dll

windows10-2004-x64

3

Cloud-Web_...86.dll

windows7-x64

1

Cloud-Web_...86.dll

windows10-2004-x64

3

Cloud-Web_run.exe

windows7-x64

6

Cloud-Web_run.exe

windows10-2004-x64

6

Cloud-Web_run.exe

windows7-x64

6

Cloud-Web_run.exe

windows10-2004-x64

6

Cloud-Web_tb_2_86.dll

windows7-x64

1

Cloud-Web_tb_2_86.dll

windows10-2004-x64

1

Cloud-Web_tb_2_86.dll

windows7-x64

1

Cloud-Web_tb_2_86.dll

windows10-2004-x64

1

cloudidsvc.exe

windows7-x64

1

cloudidsvc.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    128s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240319-en
  • resource tags

    arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
  • submitted
    15/04/2024, 20:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1d4115609ebdba98586dbcadd5cfd27_JaffaCakes118.exe

  • Size

    587KB

  • MD5

    f1d4115609ebdba98586dbcadd5cfd27

  • SHA1

    f3900de98053c1cd44e6df41867fda507814daba

  • SHA256

    7886e911d79668ca934c87d8612f3722fe9be00efa23785940f836d4f37b5373

  • SHA512

    f9c137ca7455b20558d350c73d2633e89e40c45c9b07d52fff531f67d47efa8ea95d5810a545437e7473e8a907262b8dc15e38340702b91035152c8974b79af0

  • SSDEEP

    12288:JMTbLIlQhBaUFP9QVKjHtzp7F2tpeOEnNsViTeyJgu:eXLe4zFPzBl7F2P6N4iv

Score
7/10
adwarediscoverystealer

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 32 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 28 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1d4115609ebdba98586dbcadd5cfd27_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f1d4115609ebdba98586dbcadd5cfd27_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Program Files (x86)\Cloud-Web\cloudidsvc.ex_
      "C:\Program Files (x86)\Cloud-Web\cloudidsvc.ex_" /stop
      2⤵
      • Executes dropped EXE
      PID:2716
    • C:\Program Files (x86)\Cloud-Web\cloudidsvc.ex_
      "C:\Program Files (x86)\Cloud-Web\cloudidsvc.ex_" /u
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:2724
    • C:\Program Files (x86)\Cloud-Web\cloudidsvc.exe
      "C:\Program Files (x86)\Cloud-Web\cloudidsvc.exe" /i
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      PID:2564
    • C:\Program Files (x86)\Cloud-Web\cloudidsvc.exe
      "C:\Program Files (x86)\Cloud-Web\cloudidsvc.exe" /start
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2328
  • C:\Program Files (x86)\Cloud-Web\cloudidsvc.exe
    "C:\Program Files (x86)\Cloud-Web\cloudidsvc.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Cloud-Web\Cloud-Web_run.exe
    Filesize

    127KB

    MD5

    f58b43fe184e6e6617b543d6e328db4b

    SHA1

    5c3c21cbcfe750102766d4e3a0d2023080900948

    SHA256

    fa1d28539f809a9333959b0ce12625e0b1282f8eab2effb9743f907f4a9cdd2b

    SHA512

    20ee54ea0e4a6473aa3171eff5f18141fca5145c562cf7b72283ceacf3f796352d07b9cb22f7ad46268df0cc1916a4b02a3dce862c58e4cfab87e16c36bf1059

    Download Submit

  • C:\Program Files (x86)\Cloud-Web\Log\cloudweb_up_20240415.txt
    Filesize

    305B

    MD5

    0027a6d2f9ea1222f5f9a7390efa60ed

    SHA1

    d1c76c93bdf7fa462fe797d72bfd5a995415c1f3

    SHA256

    b3228bf1f06e53b487eca0e4c262dff68539a0ab19791275905a860d60618cd9

    SHA512

    efd96af39cfb94ac24dac80d24cbcf543af7065be356822c3aef3e0c747d13deeadeeb0b0e96725a026571799c2fe2f062f57242dac5a60e5a3b65619006f79c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nso518B.tmp\splash.jpg
    Filesize

    631B

    MD5

    d68e763c825dc0e388929ae1b375ce18

    SHA1

    7951a43bbfb08fd742224ada280913d1897b89ab

    SHA256

    25cf0f0ce42f8acd9ea6facc223f54105c7fd0cce63fb7bb5d83e6600100acbd

    SHA512

    1e146e2631a4f3bd091905ccc10ed1054700349648cd52aad24eaeeedff0fac4b44b6212284a6d0855942ff16308c66402ecb895e68ef1c66dcd496973043cdb

    Download Submit

  • \Program Files (x86)\Cloud-Web\Cloud-Web_2_86.dll
    Filesize

    123KB

    MD5

    f5e11bef483ed3b0c2436099a61b090b

    SHA1

    fbf8fb0a380d69ab83365a0f9dfb9d6aa89ca0c8

    SHA256

    02ff072273315997902c1aaa97d111d99e75bc4624e9b2a3f801d469d9a6bf3f

    SHA512

    9d7ebcc4e7a6cc3049b90a30d9ab1c7dc23307c4050b79b4de7cb407130424a49222e9ceefd09016f74e7306b87f164c6d91b8adb9367b01eefe91005b24f5f9

    Download Submit

  • \Program Files (x86)\Cloud-Web\Cloud-Web_mime_2_86.dll
    Filesize

    210KB

    MD5

    e03152320af546785839f21cefd28ce1

    SHA1

    7264e5753bb5313b9ceb69d05c15e000ed938559

    SHA256

    6807aee8007988c5409a947a526c187c66e349886399541454800ce2a99c2442

    SHA512

    93681775e96cb80b8cc4b89c788902f5070497c5a0120c0ba965c14e651ab3726387bc0d3f8feeaf315ae45bd7bf40bf37f1e2fd379b89bc812c9dd2fdfefb5e

    Download Submit

  • \Program Files (x86)\Cloud-Web\Cloud-Web_tb_2_86.dll
    Filesize

    127KB

    MD5

    fba59862b8e2d049b64c10af254f93a9

    SHA1

    712e432e17c744063995d45195b4a918c72f4790

    SHA256

    a1685530939b91cd4ab1d34a72bada8d41ef708754d829a1c24e6ab4b0e4b530

    SHA512

    cda0082126615957c1572142502a278fe5e80fed8bdc2bf674011039dbfa07066e7768355c8dcbeba316f917ce081ba7c2923f7534c2ab99ea606cdd61781086

    Download Submit

  • \Program Files (x86)\Cloud-Web\cloudidsvc.ex_
    Filesize

    107KB

    MD5

    a839f8672617d05b4c2937b99e925ee7

    SHA1

    fd47813200d810ae7751f1e18e09bc162fc7b3fb

    SHA256

    799bc692e8eeb52f466aa52e3207be5dff2ad83e761402b8877227bbfad6cc15

    SHA512

    d1f4a23eab71a87cbf079e3d5b4eb9bc2cea94a2f40ce40ee5dd4097873ff32b598d315d3426ad6a755b9d6a7c6d6bc430b8f173d84535ead8776479c4f6f727

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nso518B.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nso518B.tmp\newadvsplash.dll
    Filesize

    8KB

    MD5

    7ee14dff57fb6e6c644b318d16768f4c

    SHA1

    9a5d5b31ab56ab01e9b0bd76c51b8b4605a8ccce

    SHA256

    53377d0710f551182edbab4150935425948535d11b92bf08a1c2dcf989723bd7

    SHA512

    0565ff2bdbdf044c5f90bd45475d478b48cdbd5e19569976291b1bdd703e61355410c65f29f2c9213faf56251beb16d342c8625288dad6afc670717b9636d51f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nso518B.tmp\nsProcess.dll
    Filesize

    4KB

    MD5

    8f4ac52cb2f7143f29f114add12452ad

    SHA1

    29dc25f5d69bf129d608b83821c8ec8ab8c8edb3

    SHA256

    b214d73aea95191f7363ad93cdc12b6fbd50a3a54b0aa891b3d45bc4b7b2aa04

    SHA512

    2f9e2c7450557c2b88a12d3a3b4ab999c9f2a4df0d39dcd795b307b89855387bc96fc6d4fb51de8f33de0780e08a3b15fdad43daeaf7373cca71b01d7afdaf0c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\~nsis\Cloud-Web_nad_2_86.dll
    Filesize

    551KB

    MD5

    ed69beb49380916ea57113b0a0c924fc

    SHA1

    2ab7472804ef54e168b31614c25a45e322eb43e7

    SHA256

    b5de4af37fdb5723161b48306857e1bf4b95df7b46403499012c35c86cf0170d

    SHA512

    bb3b5cce79d7576917e039e4476f7a75fe8ec64681e3c9267f1aa295e6888a92852ca45318a2fec8b350fbc962f766dddaa75c13b6e0c6bf760a3bc479a1fbdb

    Download Submit

  • memory/1192-49-0x00000000036E0000-0x00000000036FF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1192-53-0x00000000036E0000-0x0000000003700000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1192-56-0x0000000003700000-0x000000000378D000-memory.dmp

    Filesize

    564KB

    Download

  • memory/1192-12-0x0000000002500000-0x000000000258D000-memory.dmp

    Filesize

    564KB

    Download