Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

9ffa193108...18.exe

windows7-x64

10

9ffa193108...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/06/2024, 08:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ffa193108a51cbc901ffb13a07d70a8_JaffaCakes118.exe

  • Size

    271KB

  • MD5

    9ffa193108a51cbc901ffb13a07d70a8

  • SHA1

    7e74cc4561d7b6acd8a5f82e8ed0d0a71813b434

  • SHA256

    27721c21711b0a8f2ae1d1e1187cf7f61db114255c824d4f26609f291ef35f49

  • SHA512

    99d0d7cf9e979e6c2ba3eaa9f0d12b1f665feca0eaf07d18316e3ff25acf0f372717eb648fd734fa766de83b0a38662275e68a01eb91bcc110ba7d733818c1d4

  • SSDEEP

    6144:ocSjxuf1/mO100DbkOiT+ZKyA8pCnjNKWA3OzA7S2XQjQhQwD:+oloWklsRWjHA3frqJwD

Score
10/10
betabotbackdoorbotnetevasionpersistencetrojan

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ffa193108a51cbc901ffb13a07d70a8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9ffa193108a51cbc901ffb13a07d70a8_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4784
    • C:\Users\Admin\AppData\Local\Temprihanna.exe
      "C:\Users\Admin\AppData\Local\Temprihanna.exe"
      2⤵
      • Sets file execution options in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Modifies firewall policy service
        • Sets file execution options in registry
        • Checks BIOS information in registry
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:528
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 1140
          4⤵
          • Program crash
          PID:1012
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 528 -ip 528
    1⤵
      PID:1552
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3772 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:836

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temprihanna.exe
        Filesize

        197KB

        MD5

        852c69a76a091643ee58ff2b038c540a

        SHA1

        0f06f7191746fa1b788b25b63e907f0b5655c29a

        SHA256

        a7094c7edfced8a28eee60330c270f8d9c5ab34d663aa565ac6591840a7b742a

        SHA512

        d00f3166487ff1762a828fbdf3c20788999747efb23b72fb0d080d031d38929b6ea392af7342aac53c577f07dc1e17e1bdee40b7e3df845324275d6d3b316c8b

        Download Submit

      • memory/528-38-0x0000000000D90000-0x00000000011C3000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/528-33-0x0000000000D90000-0x00000000011C4000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/528-35-0x0000000000D90000-0x00000000011C4000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/528-36-0x00000000004E0000-0x000000000057B000-memory.dmp

        Filesize

        620KB

        Download

      • memory/2000-39-0x00000000001A0000-0x00000000001D5000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2000-25-0x0000000000C60000-0x0000000000CC6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2000-42-0x0000000002E40000-0x0000000002E41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2000-31-0x0000000002E50000-0x0000000002E5C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2000-32-0x0000000000C60000-0x0000000000CC6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2000-30-0x0000000002E20000-0x0000000002E21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2000-28-0x0000000000C60000-0x0000000000CC6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2000-27-0x00000000779E4000-0x00000000779E5000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2000-41-0x0000000000C60000-0x0000000000CC6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2000-26-0x0000000000BF0000-0x0000000000BFD000-memory.dmp

        Filesize

        52KB

        Download

      • memory/4784-7-0x000000001C680000-0x000000001C6CC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4784-24-0x00007FF8A2480000-0x00007FF8A2E21000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/4784-12-0x00007FF8A2480000-0x00007FF8A2E21000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/4784-11-0x000000001F510000-0x000000001F546000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4784-10-0x00007FF8A2480000-0x00007FF8A2E21000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/4784-9-0x00007FF8A2480000-0x00007FF8A2E21000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/4784-8-0x00007FF8A2480000-0x00007FF8A2E21000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/4784-0-0x00007FF8A2735000-0x00007FF8A2736000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4784-6-0x0000000001210000-0x0000000001218000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4784-5-0x000000001C4D0000-0x000000001C56C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4784-4-0x000000001BF60000-0x000000001C42E000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/4784-3-0x000000001B9E0000-0x000000001BA86000-memory.dmp

        Filesize

        664KB

        Download

      • memory/4784-2-0x00007FF8A2480000-0x00007FF8A2E21000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/4784-1-0x00007FF8A2480000-0x00007FF8A2E21000-memory.dmp

        Filesize

        9.6MB

        Download