Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

fad175591d...18.exe

windows7-x64

10

fad175591d...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19/04/2024, 17:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fad175591d470141ff5971cbaee87c4e_JaffaCakes118.exe

  • Size

    592KB

  • MD5

    fad175591d470141ff5971cbaee87c4e

  • SHA1

    d3e083ab92a62682dd9425ca3e76ae74d97bfe30

  • SHA256

    5a814a0e6d8c44ba3519d4d11d39a22730a62729dce0bbda8d2946e5f02b7afb

  • SHA512

    fdaf8f1bfc719a9c85aa2afe07ad1aa45db2dc1cda5b77ed77820f911416a71c8c1a9e043290932824a7f1df1d28a2e274c9f8eae04f12df2bb975e9e298d2cc

  • SSDEEP

    12288:tvoeq1/cnTVKIBTuoHvK2+zw/D+UdZLfHcXeT9lYbTsQI/13B+Rzq9zWOvK7uOXF:uP0rD3KsV1pKM

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 8 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fad175591d470141ff5971cbaee87c4e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fad175591d470141ff5971cbaee87c4e_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Windows\SysWOW64\drvhost.exe
      "C:\Windows\system32\drvhost.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\ProgramData\WinLogon.exe
        C:\ProgramData\WinLogon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2376
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:2472
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\ProgramData\WinLogon.exe" /t REG_SZ /d "C:\ProgramData\WinLogon.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2516
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\ProgramData\WinLogon.exe" /t REG_SZ /d "C:\ProgramData\WinLogon.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:2780
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1952
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:2800
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\9UK48PUZP1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\9UK48PUZP1.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2360
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\9UK48PUZP1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\9UK48PUZP1.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:2156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\WinLogon.exe
    Filesize

    6KB

    MD5

    36c689700adbb227867e409938607270

    SHA1

    6123e236f73faa37600a60107a5b167980b83a61

    SHA256

    a2158014ecd471868954d0e97397f9df43e310c48d56fa0b5a6ef908dc654adf

    SHA512

    c75728ed30135032a6755e33b9034b98c871554c33a4b8ba1586e0b3282dbc65e3b61571d407365b24289dae2de56b514ef0db744f85e6648dc6432a33b85fef

    Download Submit

  • \Windows\SysWOW64\drvhost.exe
    Filesize

    592KB

    MD5

    fad175591d470141ff5971cbaee87c4e

    SHA1

    d3e083ab92a62682dd9425ca3e76ae74d97bfe30

    SHA256

    5a814a0e6d8c44ba3519d4d11d39a22730a62729dce0bbda8d2946e5f02b7afb

    SHA512

    fdaf8f1bfc719a9c85aa2afe07ad1aa45db2dc1cda5b77ed77820f911416a71c8c1a9e043290932824a7f1df1d28a2e274c9f8eae04f12df2bb975e9e298d2cc

    Download Submit

  • memory/2212-0-0x0000000074BF0000-0x000000007519B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2212-1-0x0000000074BF0000-0x000000007519B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2212-2-0x00000000003A0000-0x00000000003E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2212-13-0x0000000074BF0000-0x000000007519B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2712-47-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2712-45-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2712-23-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2712-26-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2712-60-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2712-28-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2712-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2712-32-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2712-59-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2712-43-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2712-44-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2712-57-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2712-56-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2712-49-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2712-51-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2712-52-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2712-53-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2884-16-0x0000000000A90000-0x0000000000AD0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2884-12-0x0000000074BF0000-0x000000007519B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2884-35-0x0000000074BF0000-0x000000007519B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2884-25-0x0000000074BF0000-0x000000007519B000-memory.dmp

    Filesize

    5.7MB

    Download