Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

282807be95...18.exe

windows7-x64

8

282807be95...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06/07/2024, 10:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe

  • Size

    471KB

  • MD5

    282807be952aca9e2a10d4b998dea99d

  • SHA1

    deaa64423864b09383f24dd58fc24d694aa9cb92

  • SHA256

    4c6d0b9e1fc3066b7421978fba95f7e6ce0463887ed953365b5cab4f4e16a9b0

  • SHA512

    be53040a2a879bff60d64d947a987548df38873c062bbb2cff2d821460c7116817a75fce9f8488434f1a5c0c9035735ee756393443e217ade93fec1f4c6a53bc

  • SSDEEP

    12288:+e6fM21Az3KwyGLHAzNQ3YL//LJNNDTPzNH7JV3Fcfk8rTvrLadrax8D+5axnfDF:+e6fNALKwf8zNQ3YL//LJNNDTPzNH7JB

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\smss.exe
    \SystemRoot\System32\smss.exe
    1⤵
      PID:256
    • C:\Windows\system32\csrss.exe
      %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
      1⤵
        PID:332
      • C:\Windows\system32\wininit.exe
        wininit.exe
        1⤵
          PID:368
          • C:\Windows\system32\services.exe
            C:\Windows\system32\services.exe
            2⤵
              PID:468
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k DcomLaunch
                3⤵
                  PID:584
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    4⤵
                      PID:1240
                    • C:\Windows\system32\wbem\wmiprvse.exe
                      C:\Windows\system32\wbem\wmiprvse.exe
                      4⤵
                        PID:864
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k RPCSS
                      3⤵
                        PID:660
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                        3⤵
                          PID:720
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                          3⤵
                            PID:788
                            • C:\Windows\system32\Dwm.exe
                              "C:\Windows\system32\Dwm.exe"
                              4⤵
                                PID:1328
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k netsvcs
                              3⤵
                                PID:816
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalService
                                3⤵
                                  PID:980
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k NetworkService
                                  3⤵
                                    PID:272
                                  • C:\Windows\System32\spoolsv.exe
                                    C:\Windows\System32\spoolsv.exe
                                    3⤵
                                      PID:1008
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                      3⤵
                                        PID:324
                                      • C:\Windows\system32\taskhost.exe
                                        "taskhost.exe"
                                        3⤵
                                          PID:1232
                                        • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                                          "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                                          3⤵
                                            PID:1620
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                            3⤵
                                              PID:1912
                                            • C:\Windows\system32\sppsvc.exe
                                              C:\Windows\system32\sppsvc.exe
                                              3⤵
                                                PID:1888
                                            • C:\Windows\system32\lsass.exe
                                              C:\Windows\system32\lsass.exe
                                              2⤵
                                                PID:476
                                              • C:\Windows\system32\lsm.exe
                                                C:\Windows\system32\lsm.exe
                                                2⤵
                                                  PID:484
                                              • C:\Windows\system32\csrss.exe
                                                %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                                1⤵
                                                  PID:380
                                                • C:\Windows\system32\winlogon.exe
                                                  winlogon.exe
                                                  1⤵
                                                    PID:420
                                                  • C:\Windows\Explorer.EXE
                                                    C:\Windows\Explorer.EXE
                                                    1⤵
                                                      PID:1384
                                                      • C:\Users\Admin\AppData\Local\Temp\282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe"
                                                        2⤵
                                                        • Suspicious use of SetThreadContext
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:560
                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                          3⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:2952
                                                          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                                                            4⤵
                                                            • Adds policy Run key to start application
                                                            • Boot or Logon Autostart Execution: Active Setup
                                                            • Adds Run key to start application
                                                            • Drops file in System32 directory
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2784

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • memory/256-41-0x0000000000110000-0x0000000000111000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/560-0-0x00000000748B1000-0x00000000748B2000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/560-1-0x00000000748B0000-0x0000000074E5B000-memory.dmp

                                                      Filesize

                                                      5.7MB

                                                      Download

                                                    • memory/560-2-0x00000000748B0000-0x0000000074E5B000-memory.dmp

                                                      Filesize

                                                      5.7MB

                                                      Download

                                                    • memory/560-15-0x00000000748B0000-0x0000000074E5B000-memory.dmp

                                                      Filesize

                                                      5.7MB

                                                      Download

                                                    • memory/2952-5-0x0000000000400000-0x0000000000441000-memory.dmp

                                                      Filesize

                                                      260KB

                                                      Download

                                                    • memory/2952-16-0x0000000000400000-0x0000000000441000-memory.dmp

                                                      Filesize

                                                      260KB

                                                      Download

                                                    • memory/2952-8-0x0000000000400000-0x0000000000441000-memory.dmp

                                                      Filesize

                                                      260KB

                                                      Download

                                                    • memory/2952-7-0x0000000000400000-0x0000000000441000-memory.dmp

                                                      Filesize

                                                      260KB

                                                      Download

                                                    • memory/2952-6-0x0000000000400000-0x0000000000441000-memory.dmp

                                                      Filesize

                                                      260KB

                                                      Download

                                                    • memory/2952-12-0x0000000000400000-0x0000000000441000-memory.dmp

                                                      Filesize

                                                      260KB

                                                      Download

                                                    • memory/2952-4-0x0000000000400000-0x0000000000441000-memory.dmp

                                                      Filesize

                                                      260KB

                                                      Download

                                                    • memory/2952-3-0x0000000000400000-0x0000000000441000-memory.dmp

                                                      Filesize

                                                      260KB

                                                      Download

                                                    • memory/2952-13-0x0000000000400000-0x0000000000441000-memory.dmp

                                                      Filesize

                                                      260KB

                                                      Download

                                                    • memory/2952-9-0x0000000000400000-0x0000000000441000-memory.dmp

                                                      Filesize

                                                      260KB

                                                      Download

                                                    • memory/2952-14-0x0000000000400000-0x0000000000441000-memory.dmp

                                                      Filesize

                                                      260KB

                                                      Download

                                                    • memory/2952-17-0x0000000010410000-0x0000000010441000-memory.dmp

                                                      Filesize

                                                      196KB

                                                      Download

                                                    • memory/2952-18-0x0000000010410000-0x0000000010441000-memory.dmp

                                                      Filesize

                                                      196KB

                                                      Download

                                                    • memory/2952-26-0x00000000001C0000-0x00000000001CA000-memory.dmp

                                                      Filesize

                                                      40KB

                                                      Download

                                                    • memory/2952-33-0x0000000000250000-0x000000000025A000-memory.dmp

                                                      Filesize

                                                      40KB

                                                      Download

                                                    • memory/2952-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2952-10575-0x0000000000400000-0x0000000000441000-memory.dmp

                                                      Filesize

                                                      260KB

                                                      Download