Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

298bcd92ae...18.dll

windows7-x64

298bcd92ae...18.dll

windows10-2004-x64

Analysis

  • max time kernel
    11s
  • max time network
    15s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/07/2024, 23:11

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    298bcd92ae4cad3f7d91b8e44893814a_JaffaCakes118.dll

  • Size

    70KB

  • MD5

    298bcd92ae4cad3f7d91b8e44893814a

  • SHA1

    a28b0b8c131b02dc1552ec11943dc78e4bd2e641

  • SHA256

    4d0c47e3d5d9c36e1b9a94416b83abb3e7f16441c54bf33584b235859e7a4c82

  • SHA512

    72a998ad8541ad35f1e890cafd7fdeb5046503f442f7296f14e6ef44c9bb0911bed72658556d0c132855c34cdf032631e2c5439688c1ebb963c3bcb0cfe17054

  • SSDEEP

    1536:47tqjOr4o+KMJSfbsDH62q6HI15pKZ+ki7yitur8Nmck1JC:47tR+KwyUTqHK4FHorKm/E

Score
8/10
persistenceupx

Malware Config

Signatures

  • Modifies Shared Task Scheduler registry keys 2 TTPs 6 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 3 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 4 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\298bcd92ae4cad3f7d91b8e44893814a_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\298bcd92ae4cad3f7d91b8e44893814a_JaffaCakes118.dll
      2⤵
      • Modifies Shared Task Scheduler registry keys
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe C:\Windows\system32\dxetsxvvgwwy.dll /s
        3⤵
        • Modifies Shared Task Scheduler registry keys
        • Loads dropped DLL
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1200
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Windows\system32\regsvr32.exe C:\Windows\system32\298bcd92ae4c.dll /s
          4⤵
          • Modifies Shared Task Scheduler registry keys
          • Loads dropped DLL
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:5068
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3945055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\298bcd92ae4c.dll
    Filesize

    70KB

    MD5

    298bcd92ae4cad3f7d91b8e44893814a

    SHA1

    a28b0b8c131b02dc1552ec11943dc78e4bd2e641

    SHA256

    4d0c47e3d5d9c36e1b9a94416b83abb3e7f16441c54bf33584b235859e7a4c82

    SHA512

    72a998ad8541ad35f1e890cafd7fdeb5046503f442f7296f14e6ef44c9bb0911bed72658556d0c132855c34cdf032631e2c5439688c1ebb963c3bcb0cfe17054

    Download Submit

  • C:\Windows\SysWOW64\dxetsxvvgwwy.dll
    Filesize

    70KB

    MD5

    f7c1bfb087a46f9ab671cf62e392bef4

    SHA1

    c881aed1f37e6eeadd7f1d453b281309d3ac0f9c

    SHA256

    8350a647d3c0aee548be6b59958a24167dd9023781e5a1e36d8fbbadefecb662

    SHA512

    8ef9b34a18519b16addb21910b24a78d890caeb03739eda29d25a884c62a00d06fb37d9a38f94d7a856abc2b56b983d866668601e18e11e81e3274956770c35d

    Download Submit

  • memory/1200-7-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1200-13-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2424-0-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2424-15-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/5068-11-0x00000000004E0000-0x0000000000512000-memory.dmp

    Filesize

    200KB

    Download