Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

0d7b33db1f...18.exe

windows7-x64

8

0d7b33db1f...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    140s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/06/2024, 09:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe

  • Size

    62KB

  • MD5

    0d7b33db1f531966add6c065885a5501

  • SHA1

    cd7e136a587ecfa164010042540b2aac44ebb81c

  • SHA256

    897611a1fd6a2ff93247a0758f06ce5c34a06b50a859de487d10cd7d58d243f7

  • SHA512

    a12f4ad98db107cca8e9824f7ba7e48004a2c837fb43fee1e52aea95cb2f01341c2970558b410cc78286502606af8be82e85882544a8d68a760327b4581e3df8

  • SSDEEP

    768:t4xjgvZqw6axPo6qcHMV4+ZC7d9443l/kJ/MUTW+cieBN2QOx2jqpoINN6fTjiAt:6SvZqNMPo3cHH5dk7TWkeBoTYqpqf0O

Score
8/10
persistenceupx

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Drivers directory 9 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Discovers systems in the same network 1 TTPs 1 IoCs
    discovery
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4932
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "del C:\Windows\system32\drivers\inc\HPsys\*.* /q"
      2⤵
        PID:3524
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "ipconfig -all >C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys & net view >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys & netstat -an >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys & systeminfo >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys"
        2⤵
        • Drops file in Drivers directory
        • Suspicious use of WriteProcessMemory
        PID:3776
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig -all
          3⤵
          • Gathers network information
          PID:1908
        • C:\Windows\SysWOW64\net.exe
          net view
          3⤵
          • Discovers systems in the same network
          PID:1584
        • C:\Windows\SysWOW64\NETSTAT.EXE
          netstat -an
          3⤵
          • Gathers network information
          • Suspicious use of AdjustPrivilegeToken
          PID:1568
        • C:\Windows\SysWOW64\systeminfo.exe
          systeminfo
          3⤵
          • Gathers system information
          PID:2316
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "net start >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys & tasklist /svc >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys & dir c: >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys & dir d: >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys"
        2⤵
        • Drops file in Drivers directory
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Windows\SysWOW64\net.exe
          net start
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4732
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start
            4⤵
              PID:856
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /svc
            3⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:4472
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "tree C: /F /A >>C:\Windows\system32\drivers\inc\Rijtoovxhpinfo.sys"
          2⤵
          • Drops file in Drivers directory
          • Suspicious use of WriteProcessMemory
          PID:1060
          • C:\Windows\SysWOW64\tree.com
            tree C: /F /A
            3⤵
              PID:4348
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c "tree D: /F /A >>C:\Windows\system32\drivers\inc\Rijtoovxhpinfo.sys"
            2⤵
            • Drops file in Drivers directory
            • Suspicious use of WriteProcessMemory
            PID:3584
            • C:\Windows\SysWOW64\tree.com
              tree D: /F /A
              3⤵
                PID:680
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c "tree E: /F /A >>C:\Windows\system32\drivers\inc\Rijtoovxhpinfo.sys"
              2⤵
              • Drops file in Drivers directory
              • Suspicious use of WriteProcessMemory
              PID:4464
              • C:\Windows\SysWOW64\tree.com
                tree E: /F /A
                3⤵
                  PID:1224
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c "tree F: /F /A >>C:\Windows\system32\drivers\inc\Rijtoovxhpinfo.sys"
                2⤵
                • Drops file in Drivers directory
                • Suspicious use of WriteProcessMemory
                PID:5060
                • C:\Windows\SysWOW64\tree.com
                  tree F: /F /A
                  3⤵
                    PID:920
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c "tree G: /F /A >>C:\Windows\system32\drivers\inc\Rijtoovxhpinfo.sys"
                  2⤵
                  • Drops file in Drivers directory
                  • Suspicious use of WriteProcessMemory
                  PID:888
                  • C:\Windows\SysWOW64\tree.com
                    tree G: /F /A
                    3⤵
                      PID:2576

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys
                  Filesize

                  2KB

                  MD5

                  632f2c476aae0fbe08304d1bdbf3da90

                  SHA1

                  e4db5877a0d2ee915370dd9f64963c177239384b

                  SHA256

                  f11982e6e0466b86eaa121d538116dfccb23f27ed27f8a5f1b6473995afec8d2

                  SHA512

                  c414cab0484dd75ef23278138367523b90d0009695cea19a920352da66ac6dbaad8dd6c4d8525bfe8c9a80c57950ce08c424154dce084a0448b7fff24bdfdaac

                  Download Submit

                • C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys
                  Filesize

                  2KB

                  MD5

                  f2b6a5c7f4f3c97873a47ff720aafe5a

                  SHA1

                  49aca91572e049e6a3fe1cb4729a4f6c2cc98ff6

                  SHA256

                  16e9ee878b851bf3991c004afe13038cf11e759e50e25dbf94112f794aee5c89

                  SHA512

                  943590a35d9f87ee1eba82d831089b87af1c417402b981500f8df8170be98da41de6583b5a3f65f9633c4706d1a742e5678c35a54e8832e3b876d950f450125f

                  Download Submit

                • C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys
                  Filesize

                  2KB

                  MD5

                  a3d71265a9d540907d1a4f62c4e733b3

                  SHA1

                  c57c388dd731c4dac11b1fa13bdfb7ee1117e3c0

                  SHA256

                  ae86651c1f0e2f64069571904d7030a8d79656aa235e1070357176408dcbf5e2

                  SHA512

                  b4c60060eaa04754aea2b864894fb9cb2d8c6c36fa5e19aa7a915ae8eba72329bbb910476d8300d5f8f5e49947f8bb47549a75d563edb95aaa2e8d1cac37f8d4

                  Download Submit

                • C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys
                  Filesize

                  2KB

                  MD5

                  7cd364c5a25b8847cd1ec92d4406825a

                  SHA1

                  10a46a37738c693ee0cbb9d9090cd3b16985219e

                  SHA256

                  51512e0957b67b3bf83969f52ca08ce0661ba4e981a93936b5d6f8a94b874810

                  SHA512

                  e348af35be61ac6b109298bd4157ed46aba0ed1a5bafddd2c35e118752febcf51268337ef2a1d6149373bfb7efff989b3d0ea353ca1f3c835782398b7fcd4c01

                  Download Submit

                • C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys
                  Filesize

                  2KB

                  MD5

                  60d2d4573c106a570ebde1522121eeef

                  SHA1

                  9353a111b7a73c5c1b3b2e0903788aa9ecdf009c

                  SHA256

                  84bbc9ac9f523427ab730a2dbd71f5ca20d7248a23102966a4fafc52cec636aa

                  SHA512

                  6aff6e003675a89e42f48f8e1dd60c089356b78879e4e4bd4ad1484152e3f2a95ea4ca8049721c343c7d7de4d3121fe84a3f15a1f4be65f7d6a3f5b8fcefd6ab

                  Download Submit

                • C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpnetinfo.sys
                  Filesize

                  6KB

                  MD5

                  eb92329e953e7a76cb7f1638e462b644

                  SHA1

                  5f16be44bd78684bfd3139550dc6439fa74ea37e

                  SHA256

                  a48bf1d350434906ed40a5a40d93a44fc6e1fee595c63b06765d4b8fd70c39be

                  SHA512

                  20bd6ad39356c4f5d8519c1169dbbbc99e73373cca9b582379ee4f862e25981bdbdef5a9c7253f35e0e1350958b7cd909ba310409ba36378ebf27136e4bc926a

                  Download Submit

                • C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpnetinfo.sys
                  Filesize

                  19KB

                  MD5

                  1b4326f8176e19eb3c20b3b8e1277adc

                  SHA1

                  4eae3fd83fc46b032f5c2693260a8481917c01c9

                  SHA256

                  254f471bded492401a07bc19b344a0c5654e00cb8ddad75b61eb63504254f848

                  SHA512

                  0b13731a691cb2b37b71c313a1360b375ab5620fbf09622a814a0cea484b7f2c819c5989257f8d7b18f68f5ee0c240a5611f10a291c32f9dbe3c586998f18c73

                  Download Submit

                • memory/4932-0-0x0000000000400000-0x0000000000432000-memory.dmp

                  Filesize

                  200KB

                  Download

                • memory/4932-2-0x0000000000400000-0x0000000000432000-memory.dmp

                  Filesize

                  200KB

                  Download

                • memory/4932-22-0x0000000000400000-0x0000000000432000-memory.dmp

                  Filesize

                  200KB

                  Download