Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

3edd73146d...18.exe

windows7-x64

10

3edd73146d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3edd73146d6e361f40328f3fbad47261_JaffaCakes118.exe

  • Size

    652KB

  • MD5

    3edd73146d6e361f40328f3fbad47261

  • SHA1

    a94f8d0e8e232d411f435742df0ed4a23c3af239

  • SHA256

    a8062f42dc988ff7a646cf070741145af11c58e1626bb7fb374866cab3b2d6f0

  • SHA512

    944b703748b445193191e76a314da80a055248406775cb8867a0d92d0df7f6f3117cb480cf0ee8b17b5a38e84fe6d314eded8bf98c576016863ecd3f19d046d6

  • SSDEEP

    12288:dsxqWTdNZRkPakUA7yJI4szy14bGDBvMpA/IQ6tue5vY:KTbPkPawmJDsu14Xp8IxJ

Score
10/10
bootkitevasionpersistenceupx

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 10 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 6 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3edd73146d6e361f40328f3fbad47261_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3edd73146d6e361f40328f3fbad47261_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Users\Admin\AppData\Local\Temp\3edd73146d6e361f40328f3fbad47261_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3edd73146d6e361f40328f3fbad47261_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4520
      • C:\Users\Admin\AppData\Local\Temp\MasterBl4ster.exe
        "C:\Users\Admin\AppData\Local\Temp\MasterBl4ster.exe"
        3⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetWindowsHookEx
        PID:1452
      • C:\Users\Admin\AppData\Local\Temp\a618.exe
        "C:\Users\Admin\AppData\Local\Temp\a618.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3616
        • C:\Users\Admin\AppData\Local\Temp\a618.exe
          "C:\Users\Admin\AppData\Local\Temp\a618.exe"
          4⤵
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3224
          • C:\Users\Admin\AppData\Local\Temp\a618.exe
            "C:\Users\Admin\AppData\Local\Temp\a618.exe"
            5⤵
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3048
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2772
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                7⤵
                • Modifies firewall policy service
                • Modifies registry key
                PID:4008
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\a618.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a618.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2768
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\a618.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a618.exe:*:Enabled:Windows Messanger" /f
                7⤵
                • Modifies firewall policy service
                • Modifies registry key
                PID:1396
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:688
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                7⤵
                • Modifies firewall policy service
                • Modifies registry key
                PID:408
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\notepad.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\notepad.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4868
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\notepad.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\notepad.exe:*:Enabled:Windows Messanger" /f
                7⤵
                • Modifies firewall policy service
                • Modifies registry key
                PID:436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MasterBl4ster.exe
    Filesize

    34KB

    MD5

    353570ba98f58ab2d03ae73e2dddaf88

    SHA1

    a7ea0cf30951a50eb6f47f76c7a26a1f4156bda0

    SHA256

    35af00cf0b48f389ca696386d5b39714919aaff46d6a76b6d199fee4a79c8aee

    SHA512

    9918104bd3dcbb4edeadbfe9d21c081b1702773e688a81013876ff47558424ee6dbe8e1fad57b34e6f90025f4d4a935605e490ee489c17667d925c12f5f30544

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\a618.exe
    Filesize

    476KB

    MD5

    6a46f5c6ffae9e26bbf0c0cf9f193bd1

    SHA1

    60053142bbb37d5423ad40d23fafbec9f853a41e

    SHA256

    a12672af336a8d42463d5d41afabc1e47e884592fb30addedd014a51917b305f

    SHA512

    94aeed0c7aea344a164ca93d375815c85ce86a31e78d5cefae153cb8cc3d935ff129741873c396a6599096ee99a8958d051af7471edc42fecd65ea7cdd7f62cd

    Download Submit

  • memory/1452-52-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1452-21-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3048-45-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/3048-82-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/3048-79-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/3048-70-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/3048-66-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/3048-42-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/3048-68-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/3048-84-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/3048-53-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/3048-55-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/3048-59-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/3048-63-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/3224-50-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/3224-36-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/3224-39-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4520-2-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4520-32-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4520-4-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download