Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
3a936074587...18.exe
windows7-x64
6a936074587...18.exe
windows10-2004-x64
6$PLUGINSDI...nt.dll
windows7-x64
3$PLUGINSDI...nt.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...0_.dll
windows7-x64
1$PLUGINSDI...0_.dll
windows10-2004-x64
1$PLUGINSDI...os.dll
windows7-x64
3$PLUGINSDI...os.dll
windows10-2004-x64
3$PLUGINSDI...18.exe
windows7-x64
8$PLUGINSDI...18.exe
windows10-2004-x64
8$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...16.exe
windows7-x64
4$PLUGINSDI...16.exe
windows10-2004-x64
4$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$TEMP/Goog...69.exe
windows7-x64
4$TEMP/Goog...69.exe
windows10-2004-x64
4$PLUGINSDI...ll.dll
windows7-x64
1$PLUGINSDI...ll.dll
windows10-2004-x64
1$PLUGINSDI...5.html
windows7-x64
1$PLUGINSDI...5.html
windows10-2004-x64
1$PLUGINSDI...6.html
windows7-x64
1$PLUGINSDI...6.html
windows10-2004-x64
1$PLUGINSDI...7.html
windows7-x64
1$PLUGINSDI...7.html
windows10-2004-x64
1$PLUGINSDI...8.html
windows7-x64
1$PLUGINSDI...8.html
windows10-2004-x64
1Analysis
-
max time kernel
124s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14/06/2024, 10:32
Static task
static1
Behavioral task
behavioral1
Sample
a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral2
Sample
a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/ButtonEvent.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/ButtonEvent.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/a/$_110_.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/a/$_110_.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/execDos.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/execDos.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/g/PF-Chrome-2018.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/g/PF-Chrome-2018.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral16
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/g/PF-Toolbar-2016.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral18
Sample
$PLUGINSDIR/g/PF-Toolbar-2016.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral20
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$TEMP/GoogleUpdateSetup_1.3.21.169.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral22
Sample
$TEMP/GoogleUpdateSetup_1.3.21.169.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$PLUGINSDIR/g/gcapi_dll.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral24
Sample
$PLUGINSDIR/g/gcapi_dll.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$PLUGINSDIR/g/gcombo/ComboOffer_1025.html
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral26
Sample
$PLUGINSDIR/g/gcombo/ComboOffer_1025.html
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$PLUGINSDIR/g/gcombo/ComboOffer_1026.html
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
$PLUGINSDIR/g/gcombo/ComboOffer_1026.html
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/g/gcombo/ComboOffer_1027.html
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral30
Sample
$PLUGINSDIR/g/gcombo/ComboOffer_1027.html
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$PLUGINSDIR/g/gcombo/ComboOffer_1028.html
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/g/gcombo/ComboOffer_1028.html
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
$PLUGINSDIR/g/PF-Toolbar-2016.exe
-
Size
820KB
-
MD5
0f32452f14ff2cd57bea1b35efd6c839
-
SHA1
3b20f2f4a54b21f3fb0c9fb04d0544348e61a460
-
SHA256
fa53ce9ae4c2345f25f5ac61748623451004aa555a72d61162fbb266887d8b2d
-
SHA512
80a75aae72c366c0ccf2c89aec8ff120fcdc0def2ecaeb16373f1c930eb4c0fd311653da3230bc056e4acfe116f35db668a17f647a7252877e2fb6525e48157a
-
SSDEEP
12288:6mt6FaNUTjCumbaKQ9j2aBjo8koh41SN8SDajcXLWdfh9EoqPfY8N0bx:pt68Ej7nIgs8v4AN96dS3Yk0F
Malware Config
Signatures
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_es-419.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_fa.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_gu.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_ko.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_nl.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_sw.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_en.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_ja.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_pt-BR.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_sr.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_zh-TW.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_es.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_ca.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_it.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_lt.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_pl.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_sk.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\psuser.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_ar.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_bg.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_da.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_ml.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\GoogleCrashHandler64.exe GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_no.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_pt-PT.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_sv.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdate.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_bn.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_zh-CN.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\GoogleUpdateBroker.exe GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\psmachine.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_id.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_sl.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\GoogleUpdateHelper.msi GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\npGoogleUpdate3.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_tr.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_te.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_iw.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_kn.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_mr.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_th.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_en-GB.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\GoogleUpdateOnDemand.exe GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_cs.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_fi.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_fr.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_ro.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\GoogleCrashHandler.exe GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_hr.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_hu.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_ms.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_ta.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_hi.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_ur.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_am.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\GoogleUpdate.exe GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_de.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_fil.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_ru.dll GoogleUpdateSetup_1.3.21.169.exe File opened for modification C:\Program Files (x86)\GUTE4B4.tmp GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_is.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_lv.dll GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\GoogleUpdateSetup.exe GoogleUpdateSetup_1.3.21.169.exe File created C:\Program Files (x86)\GUME4B3.tmp\goopdateres_et.dll GoogleUpdateSetup_1.3.21.169.exe -
Executes dropped EXE 2 IoCs
pid Process 5052 GoogleUpdateSetup_1.3.21.169.exe 4208 GoogleUpdate.exe -
Loads dropped DLL 3 IoCs
pid Process 3340 PF-Toolbar-2016.exe 3340 PF-Toolbar-2016.exe 4208 GoogleUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4208 GoogleUpdate.exe 4208 GoogleUpdate.exe 4208 GoogleUpdate.exe 4208 GoogleUpdate.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4208 GoogleUpdate.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3340 wrote to memory of 5052 3340 PF-Toolbar-2016.exe 90 PID 3340 wrote to memory of 5052 3340 PF-Toolbar-2016.exe 90 PID 3340 wrote to memory of 5052 3340 PF-Toolbar-2016.exe 90 PID 5052 wrote to memory of 4208 5052 GoogleUpdateSetup_1.3.21.169.exe 91 PID 5052 wrote to memory of 4208 5052 GoogleUpdateSetup_1.3.21.169.exe 91 PID 5052 wrote to memory of 4208 5052 GoogleUpdateSetup_1.3.21.169.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\PF-Toolbar-2016.exe"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\PF-Toolbar-2016.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\GoogleUpdateSetup_1.3.21.169.exeC:\Users\Admin\AppData\Local\Temp\GoogleUpdateSetup_1.3.21.169.exe /silent /install "appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&appname=Google%20Toolbar&needsadmin=True&brand=PRFJ&usagestats=0" /appargs "appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&installerdata=d%3Dask%26h%3Dask2"2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Program Files (x86)\GUME4B3.tmp\GoogleUpdate.exe"C:\Program Files (x86)\GUME4B3.tmp\GoogleUpdate.exe" /silent /install "appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&appname=Google%20Toolbar&needsadmin=True&brand=PRFJ&usagestats=0" /appargs "appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&installerdata=d%3Dask%26h%3Dask2"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4084,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=1292 /prefetch:81⤵PID:816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113KB
MD5506708142bc63daba64f2d3ad1dcd5bf
SHA1d30e8c7543adbc801d675068530b57d75cabb13f
SHA2569c36a08d9e7932ff4da7b5f24e6b42c92f28685b8abe964c870e8d7670fd531a
SHA512a6e16f0de64b1500fbb2c7974a5efd40e8768b6c133f8ef367725a5c82b3b38c300dd65fa159b4a5f15413b0843a1e37416550ec89749ec1cf5cfae73dcc01ab
-
Filesize
849KB
MD544a7beb360488d6595de0ec0c6e8248b
SHA1ff424defecead2e1ceb7762a78366cb7c424b9b2
SHA256934bced969e0f50ed647289e8469308a54d8dc5a6ab5c81c66f5899798564d76
SHA512f06a153d03444151983ac5932dde05a6f9de2093001ee3588f4abeba1b0564c407c163b705a8f24c2501e26b4860eb92f17f2de0a7b0893f6b6f9b00950f4105
-
Filesize
840KB
MD58f324a0dac8e8d61faff2cde53eb4af0
SHA1d0573eae2aa53b3fc0e584126b457a618002feb7
SHA256f8f90894b9f942d4453dc3c532784f9ee301611726f7ca08bd71fa6f339267ca
SHA5121ccfb6211b6936b2f51a5a5d3a25eccc31466a64a316aba00faead3b77e59083a5ab190bc6fd77e14c57c4ceedfd5a1bb2d3816fe9af7ac9a336ab46f57f8f91
-
Filesize
799KB
MD57abad5635830cb8af3ea5b88e76f728d
SHA17809cb7c62fb6c95e7dd244bc480f3f93e695a25
SHA25627785c7b3825d73149794527a8be2dbdedd737ad3d47ecc6eb30be7546c1bdff
SHA51209c3e2b4726974db4ffd46c58f7177a52fcea2c85a8a22196555cfeefda7c6f4cb453de196f919a1e2ca2441379a36a9b40bb3d70d64c4148c31b58d0ce50be3
-
Filesize
11KB
MD5301a9c8739ed3ed955a1bdc472d26f32
SHA1a830ab9ae6e8d046b7ab2611bea7a0a681f29a43
SHA2566ec9fde89f067b1807325b05089c3ae4822ce7640d78e6f32dbe52f582de1d92
SHA51241d88489ecb5ec64191493a1ed2ed7095678955d9fa72cccea2ae76dd794e62e7b5bd3aa2c313fb4bdf41c2f89f29e4cafe43d564ecad80fce1bf0a240b1e094