Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

9ffa193108...18.exe

windows7-x64

10

9ffa193108...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12/06/2024, 08:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ffa193108a51cbc901ffb13a07d70a8_JaffaCakes118.exe

  • Size

    271KB

  • MD5

    9ffa193108a51cbc901ffb13a07d70a8

  • SHA1

    7e74cc4561d7b6acd8a5f82e8ed0d0a71813b434

  • SHA256

    27721c21711b0a8f2ae1d1e1187cf7f61db114255c824d4f26609f291ef35f49

  • SHA512

    99d0d7cf9e979e6c2ba3eaa9f0d12b1f665feca0eaf07d18316e3ff25acf0f372717eb648fd734fa766de83b0a38662275e68a01eb91bcc110ba7d733818c1d4

  • SSDEEP

    6144:ocSjxuf1/mO100DbkOiT+ZKyA8pCnjNKWA3OzA7S2XQjQhQwD:+oloWklsRWjHA3frqJwD

Score
10/10
betabotbackdoorbotnetevasionpersistencetrojan

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1168
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1196
        • C:\Users\Admin\AppData\Local\Temp\9ffa193108a51cbc901ffb13a07d70a8_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\9ffa193108a51cbc901ffb13a07d70a8_JaffaCakes118.exe"
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:756
          • C:\Users\Admin\AppData\Local\Temprihanna.exe
            "C:\Users\Admin\AppData\Local\Temprihanna.exe"
            3⤵
            • Sets file execution options in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Checks processor information in registry
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2532
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              4⤵
              • Modifies firewall policy service
              • Sets file execution options in registry
              • Checks BIOS information in registry
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Checks processor information in registry
              • Enumerates system info in registry
              • Modifies Internet Explorer Protected Mode
              • Modifies Internet Explorer Protected Mode Banner
              • Modifies Internet Explorer settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2568

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temprihanna.exe
        Filesize

        197KB

        MD5

        852c69a76a091643ee58ff2b038c540a

        SHA1

        0f06f7191746fa1b788b25b63e907f0b5655c29a

        SHA256

        a7094c7edfced8a28eee60330c270f8d9c5ab34d663aa565ac6591840a7b742a

        SHA512

        d00f3166487ff1762a828fbdf3c20788999747efb23b72fb0d080d031d38929b6ea392af7342aac53c577f07dc1e17e1bdee40b7e3df845324275d6d3b316c8b

        Download Submit

      • memory/756-0-0x000007FEF5D5E000-0x000007FEF5D5F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/756-1-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/756-2-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/756-5-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/756-4-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/756-3-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/756-6-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/756-7-0x000000001AEF0000-0x000000001AF26000-memory.dmp

        Filesize

        216KB

        Download

      • memory/756-13-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2532-16-0x0000000000110000-0x000000000011D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2532-15-0x0000000000100000-0x0000000000106000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2532-14-0x0000000000370000-0x00000000003D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2532-17-0x0000000077810000-0x0000000077811000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2532-18-0x0000000000370000-0x00000000003D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2532-21-0x00000000003F0000-0x00000000003FC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2532-22-0x0000000000370000-0x00000000003D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2532-20-0x0000000000250000-0x0000000000251000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2532-33-0x00000000003E0000-0x00000000003E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2532-34-0x0000000001110000-0x0000000001145000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2532-35-0x0000000000370000-0x00000000003D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2532-36-0x0000000000100000-0x0000000000106000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2568-28-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2568-40-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2568-31-0x00000000001C0000-0x000000000025B000-memory.dmp

        Filesize

        620KB

        Download

      • memory/2568-29-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2568-27-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2568-26-0x00000000001C0000-0x000000000025B000-memory.dmp

        Filesize

        620KB

        Download

      • memory/2568-25-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2568-24-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2568-37-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2568-38-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2568-39-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2568-30-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2568-41-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2568-42-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2568-43-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2568-44-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2568-45-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2568-46-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2568-47-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2568-48-0x00000000001C0000-0x000000000025B000-memory.dmp

        Filesize

        620KB

        Download

      • memory/2568-49-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2568-50-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2568-52-0x0000000077800000-0x0000000077981000-memory.dmp

        Filesize

        1.5MB

        Download