Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

411a4a7d91...18.exe

windows7-x64

10

411a4a7d91...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/07/2024, 09:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    411a4a7d91a470f004c1d785320e9753_JaffaCakes118.exe

  • Size

    29KB

  • MD5

    411a4a7d91a470f004c1d785320e9753

  • SHA1

    75e39c62e04fa6a97ea54794b4d3f9c24cc61ebd

  • SHA256

    0b24337084608878194c71a3dbf40a06e457b61fad024dd2fb0bfb6ad571073c

  • SHA512

    00f44891cda68af23010349568fb2b59150626a352b9e6cd6a2ee02f78ff25a0afdc2aa18679ed44aa288e980cfd4fdba2e743a58157876094dcd03759875f7f

  • SSDEEP

    768:tQbuQRy2UjmUndnlTttxDn+3jiSkjRY6AB7kKfYoJ+ifBEewj:QuQRylaUDTDxDXjy6AB7koYy23

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 17 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:616
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3504
        • C:\Users\Admin\AppData\Local\Temp\411a4a7d91a470f004c1d785320e9753_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\411a4a7d91a470f004c1d785320e9753_JaffaCakes118.exe"
          2⤵
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3264
          • C:\Windows\SysWOW64\upkookuk-ced.exe
            "C:\Windows\system32\upkookuk-ced.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4380
            • C:\Windows\SysWOW64\upkookuk-ced.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1516

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\afxoroax.exe
        Filesize

        32KB

        MD5

        ae95de5807de829bb0aae8557d0fbeda

        SHA1

        eedd6b828ee91ba2b918718feb02f4e67c6a3710

        SHA256

        5bdab6dfa307bb7f4f50624c3112f489fcdcdeb0851bfb49404c01107713861c

        SHA512

        8c438395a00c33c88cd3b168004e044f0c9fa950265ea0dd8d3635d4df9e853565ff42fd4c95d275f36477befe7e14a8c3ffd9ab50d8e125a271fa30b143f1ed

        Download Submit

      • C:\Windows\SysWOW64\amfineac.dll
        Filesize

        5KB

        MD5

        c8521a5fdd1c9387d536f599d850b195

        SHA1

        a543080665107b7e32bcc1ed19dbfbc1d2931356

        SHA256

        fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5

        SHA512

        541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd

        Download Submit

      • C:\Windows\SysWOW64\ulsepop.exe
        Filesize

        31KB

        MD5

        7f7698d00453b4a656dd9d681fd51ec3

        SHA1

        65ee46ef4dfd52b67ee500c73cc45aa5ef050825

        SHA256

        fd04ffa37da065d771684e6468a1bcb2bf332bebddbfa8c42ab4229c53e772af

        SHA512

        caecf49d54ef59cfb7f0c2694e89872bb3cde4c5e7c48364f313aae91b9047d1c5458fb6b066f317c81d6722b9957ddc536546abc270c07bc4cbecf2581aee9e

        Download Submit

      • C:\Windows\SysWOW64\upkookuk-ced.exe
        Filesize

        29KB

        MD5

        411a4a7d91a470f004c1d785320e9753

        SHA1

        75e39c62e04fa6a97ea54794b4d3f9c24cc61ebd

        SHA256

        0b24337084608878194c71a3dbf40a06e457b61fad024dd2fb0bfb6ad571073c

        SHA512

        00f44891cda68af23010349568fb2b59150626a352b9e6cd6a2ee02f78ff25a0afdc2aa18679ed44aa288e980cfd4fdba2e743a58157876094dcd03759875f7f

        Download Submit

      • memory/1516-19-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1516-54-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/3264-0-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/3264-10-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/4380-13-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/4380-53-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download