Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20/04/2024, 09:36
Static task
static1
Behavioral task
behavioral1
Sample
fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Uninstall.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
Uninstall.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
register.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
register.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
General
-
Target
register.exe
-
Size
35KB
-
MD5
1d95755ffcfc57da3b9c32ff5fdb6934
-
SHA1
c8a33a7b3394c1b4a0ba04d68b07579d711274b3
-
SHA256
94779bc3bd7e5a2a284a4839bd3b7a18bb59527d88b1d57b0f547eae67360fcc
-
SHA512
6d17f5a263699b683232f5f6b3c769a88e7c917e55bfbd89d0b847259340ff86d7e0ba36f3dac27c56a01ea4015b80607bc04b22de4b19aa1dde8af895a1324a
-
SSDEEP
768:FHaBX1ovfDMSA3yVG0nkrA/W7w2hyXV2tCIa6syM:UM3DMSzVvnkrA/2hyXQAB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2296 Explorer.exe -
Unexpected DNS network traffic destination 34 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.116.69 -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\jfvbq.exe register.exe File opened for modification C:\Windows\SysWOW64\jfvbq.exe register.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3480 set thread context of 4268 3480 register.exe 87 PID 3480 set thread context of 2296 3480 register.exe 88 -
Gathers network information 2 TTPs 5 IoCs
Uses commandline utility to view network configuration.
pid Process 1656 ipconfig.exe 1912 ipconfig.exe 4952 ipconfig.exe 4496 ipconfig.exe 2540 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3480 register.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3480 wrote to memory of 4268 3480 register.exe 87 PID 3480 wrote to memory of 4268 3480 register.exe 87 PID 3480 wrote to memory of 4268 3480 register.exe 87 PID 3480 wrote to memory of 4268 3480 register.exe 87 PID 3480 wrote to memory of 2296 3480 register.exe 88 PID 3480 wrote to memory of 2296 3480 register.exe 88 PID 3480 wrote to memory of 2296 3480 register.exe 88 PID 3480 wrote to memory of 2296 3480 register.exe 88 PID 4268 wrote to memory of 1656 4268 iexplore.exe 89 PID 4268 wrote to memory of 1656 4268 iexplore.exe 89 PID 4268 wrote to memory of 1656 4268 iexplore.exe 89 PID 4268 wrote to memory of 1912 4268 iexplore.exe 91 PID 4268 wrote to memory of 1912 4268 iexplore.exe 91 PID 4268 wrote to memory of 1912 4268 iexplore.exe 91 PID 4268 wrote to memory of 4496 4268 iexplore.exe 92 PID 4268 wrote to memory of 4496 4268 iexplore.exe 92 PID 4268 wrote to memory of 4496 4268 iexplore.exe 92 PID 4268 wrote to memory of 4952 4268 iexplore.exe 95 PID 4268 wrote to memory of 4952 4268 iexplore.exe 95 PID 4268 wrote to memory of 4952 4268 iexplore.exe 95 PID 4268 wrote to memory of 2540 4268 iexplore.exe 97 PID 4268 wrote to memory of 2540 4268 iexplore.exe 97 PID 4268 wrote to memory of 2540 4268 iexplore.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\register.exe"C:\Users\Admin\AppData\Local\Temp\register.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /flushdns3⤵
- Gathers network information
PID:1656
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /registerdns3⤵
- Gathers network information
PID:1912
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /dnsflush3⤵
- Gathers network information
PID:4496
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /renew3⤵
- Gathers network information
PID:4952
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /renew_all3⤵
- Gathers network information
PID:2540
-
-
-
C:\Windows\SysWOW64\Explorer.exeExplorer.exe2⤵
- Deletes itself
PID:2296
-