Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

1b0b92942e...18.exe

windows7-x64

7

1b0b92942e...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    01/07/2024, 11:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b0b92942ea2ed8b950ab177800d6930_JaffaCakes118.exe

  • Size

    922KB

  • MD5

    1b0b92942ea2ed8b950ab177800d6930

  • SHA1

    36d12ff6cd2c08e9e72484d49692f4ca324dd80b

  • SHA256

    c9304eddbe6a94b0507fec67acb13cf76cff5b9372c0d981b4133111a5a5a9d3

  • SHA512

    7f4405d5a48ed356122040efd100e9161d76201402ff6dfb9a7d85851233313c0e6c69b4a783d3408d2085cb00cb9e5c150dddd30d4e5131eef565bc713d66d4

  • SSDEEP

    12288:xf7uK718R6Tf0em8iHHrkSvJpUoeugjWY85w+A9pJaWpRvS1fku5s:xfqC8R6Q/lQSvsRJmo9pJVpRvSV5s

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b0b92942ea2ed8b950ab177800d6930_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1b0b92942ea2ed8b950ab177800d6930_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\windows\SysWOW64\system32.exe
      "C:\windows\system32\system32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\windows\SysWOW64\system32.exe >> NUL
        3⤵
          PID:2728

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\E_4\krnln.fnr
      Filesize

      1.0MB

      MD5

      1081d7eb7a17faedfa588b93fc85365e

      SHA1

      884e264fa37bfb9e71d24f3f5c7554fdf94a8b9f

      SHA256

      0351d055cf1e194302ab125cc93208a8c733efb45dc301ca6e7e2a4051f411e0

      SHA512

      1ff9e7c495b9e005c8d3b56219794c31d804fe1944429e3d4fe013fd8fcb3f51c02b588748c7d9d869fdb115851932e8db4e6792aecd9c83f28237702582ba81

      Download Submit

    • \Users\Admin\AppData\Local\Temp\E_4\shell.fne
      Filesize

      40KB

      MD5

      d54753e7fc3ea03aec0181447969c0e8

      SHA1

      824e7007b6569ae36f174c146ae1b7242f98f734

      SHA256

      192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9

      SHA512

      c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f

      Download Submit

    • \Windows\SysWOW64\369774CA.dll
      Filesize

      161KB

      MD5

      d141c3df43f4ffcf070db0b66247f2fc

      SHA1

      405bbd0f170ad04bdf27c8bd053a6f0a9353e5c2

      SHA256

      d8a6e9433a9bc521b04a262abe96cc016c774adc9c2c6413566706882964d5d6

      SHA512

      fde34349fdce5f026a7ccf6a9d34af0b5dc7310c257aaaaed3e73c02a234133a104daa6b9400d75c93c74504e75dd29841cba29c5378d8eddfe4e0d2d1dac6a7

      Download Submit

    • \Windows\SysWOW64\system32.exe
      Filesize

      21KB

      MD5

      1bc8305583e14ff8e5a719c83bf805d6

      SHA1

      e62982185ab0f36484b5652e81ef4e006e79e38a

      SHA256

      f39c24662bcec9513edcc20a1b4a0a10db34a055399803ede19c8e56c8bc47a8

      SHA512

      7da9f477d71d9076e64803ac9c84370fbb58d5976ff9f649c0563e79d0026d9fe28413dfbe2542951cd73490ec2d7482c469cf57dcaf43afaf91602d74f5430c

      Download Submit

    • memory/2844-0-0x0000000000400000-0x0000000000467000-memory.dmp

      Filesize

      412KB

      Download

    • memory/2844-7-0x00000000001B0000-0x00000000001C1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2844-30-0x0000000001CF0000-0x0000000001D04000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2844-32-0x0000000000400000-0x0000000000467000-memory.dmp

      Filesize

      412KB

      Download

    • memory/3008-18-0x0000000002000000-0x0000000002001000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3008-27-0x0000000010000000-0x0000000010014000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3008-31-0x0000000010000000-0x0000000010014000-memory.dmp

      Filesize

      80KB

      Download