Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
341e52017f4...18.exe
windows7-x64
741e52017f4...18.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$TEMP/upholder.dll
windows7-x64
1$TEMP/upholder.dll
windows10-2004-x64
3uninstall.exe
windows7-x64
7uninstall.exe
windows10-2004-x64
7Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
14/05/2024, 14:52
Static task
static1
Behavioral task
behavioral1
Sample
41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$TEMP/upholder.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$TEMP/upholder.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
uninstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
uninstall.exe
Resource
win10v2004-20240426-en
General
-
Target
uninstall.exe
-
Size
33KB
-
MD5
889515c301e7bfdd6fac809dd3439183
-
SHA1
bb0902cfc9798a7d1c8e0f3288c8bec0d60bb1fe
-
SHA256
fb3f23fade8d4c62a85a5d5cb95db292ea1c3a93ecf331ac9da58104a7dde2aa
-
SHA512
d9dde3b5b69c2c7e1308126c3375aa484943eb3614c04cfc1d2df41a63194e85e62f9391ef72b405c8078e8bb5d220c0f77e5d37c4a08360d321b67af3559f30
-
SSDEEP
768:dWwSOHQVoQM8ios/aASUsWRs25iUk68v1fT3XJPdE2JRnUWop:EwJOoN1oYaoZ5iV685XJPCTWop
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2092 Au_.exe -
Executes dropped EXE 1 IoCs
pid Process 2092 Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral8/files/0x0009000000023410-3.dat nsis_installer_1 behavioral8/files/0x0009000000023410-3.dat nsis_installer_2 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3216 wrote to memory of 2092 3216 uninstall.exe 82 PID 3216 wrote to memory of 2092 3216 uninstall.exe 82 PID 3216 wrote to memory of 2092 3216 uninstall.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\uninstall.exe"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Deletes itself
- Executes dropped EXE
PID:2092
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5889515c301e7bfdd6fac809dd3439183
SHA1bb0902cfc9798a7d1c8e0f3288c8bec0d60bb1fe
SHA256fb3f23fade8d4c62a85a5d5cb95db292ea1c3a93ecf331ac9da58104a7dde2aa
SHA512d9dde3b5b69c2c7e1308126c3375aa484943eb3614c04cfc1d2df41a63194e85e62f9391ef72b405c8078e8bb5d220c0f77e5d37c4a08360d321b67af3559f30