Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
32520f6005d...18.exe
windows7-x64
72520f6005d...18.exe
windows10-2004-x64
7$DESKTOP/P...ne.jad
windows7-x64
3$DESKTOP/P...ne.jad
windows10-2004-x64
3$DESKTOP/P...ne.jad
windows7-x64
3$DESKTOP/P...ne.jad
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3PassMem.chm
windows7-x64
1PassMem.chm
windows10-2004-x64
1PassMem.exe
windows7-x64
1PassMem.exe
windows10-2004-x64
1UpdateApp.exe
windows7-x64
1UpdateApp.exe
windows10-2004-x64
1Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 13:47
Static task
static1
Behavioral task
behavioral1
Sample
2520f6005dd43203190a230828793f17_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2520f6005dd43203190a230828793f17_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
$DESKTOP/PassMemPhone.jad
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$DESKTOP/PassMemPhone.jad
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$DESKTOP/PassMemPhone.jad
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
$DESKTOP/PassMemPhone.jad
Resource
win10v2004-20240419-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240419-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
PassMem.chm
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
PassMem.chm
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
PassMem.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
PassMem.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
UpdateApp.exe
Resource
win7-20240220-en
Behavioral task
behavioral18
Sample
UpdateApp.exe
Resource
win10v2004-20240508-en
General
-
Target
$DESKTOP/PassMemPhone.jad
-
Size
278B
-
MD5
40d997c13a2ba3bb6652f8a60df57f7d
-
SHA1
7c8eeb01465f6644eb27b263830e1154162e3edc
-
SHA256
e5a2012bbca0caa52c49d9db48736e8a922a6205d5dbae5618421e7b524c0cc0
-
SHA512
cc7540333eb1fe267842fdabd0d3a78ba918b54fba6a0bf09a0c9b6d62b82fcce5e7341dbe32c2a7cc88791a6a9d2f34dc8efaef394176977586b3f8cdff9eab
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\jad_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\jad_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\jad_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\jad_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.jad rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.jad\ = "jad_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\jad_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\jad_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2716 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2716 AcroRd32.exe 2716 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 756 wrote to memory of 1880 756 cmd.exe 29 PID 756 wrote to memory of 1880 756 cmd.exe 29 PID 756 wrote to memory of 1880 756 cmd.exe 29 PID 1880 wrote to memory of 2716 1880 rundll32.exe 30 PID 1880 wrote to memory of 2716 1880 rundll32.exe 30 PID 1880 wrote to memory of 2716 1880 rundll32.exe 30 PID 1880 wrote to memory of 2716 1880 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$DESKTOP\PassMemPhone.jad1⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$DESKTOP\PassMemPhone.jad2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\$DESKTOP\PassMemPhone.jad"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2716
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD594c0bbb9397326567d1148efc8f58a5a
SHA10efb62ee7bfa733d55020f9cf67fa13c89be92c9
SHA25672087f3614f96b10fc5f2da6568b22da190aa60e8b8edcd26566de48e6fed9d3
SHA51294b85d547bff7b600067c654d935c0a27e526b349699f09f40908c67f0c353ab8b00e572c492bd35687c85db4e13b9b1140cbf9fb6bc54be6dee69f2d45e6316