Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

43e320bdcb...18.exe

windows7-x64

10

43e320bdcb...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/07/2024, 02:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43e320bdcbc89aefd23ef13a2bbfc41c_JaffaCakes118.exe

  • Size

    414KB

  • MD5

    43e320bdcbc89aefd23ef13a2bbfc41c

  • SHA1

    c7674d4bbbbcabe32f3bcaf79f2108479d194e47

  • SHA256

    08161a6652d7834de29d7be1d6f1240f5fb641fa32d9e90b0ebbe1479de71dcc

  • SHA512

    7f19e809e23b2be63006557ae84844f986de97bb2b51a757af6635f0969caa3a76ddc2952b8028296a1c1ea747a925863e005e91d572ee94cbae638db5f59aad

  • SSDEEP

    6144:bARb+1YFc8CnFu73mBCR7NFrkcrreoSi7CL+PqL55NjeqE5:+b+1F8C+minkSrfSi+L/V5Nj

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 34 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43e320bdcbc89aefd23ef13a2bbfc41c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\43e320bdcbc89aefd23ef13a2bbfc41c_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 880
      2⤵
      • Program crash
      PID:1436
    • C:\ProgramData\eD21922KmPiH21922\eD21922KmPiH21922.exe
      "C:\ProgramData\eD21922KmPiH21922\eD21922KmPiH21922.exe" "C:\Users\Admin\AppData\Local\Temp\43e320bdcbc89aefd23ef13a2bbfc41c_JaffaCakes118.exe"
      2⤵
      • Modifies security service
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1432
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 880
        3⤵
        • Program crash
        PID:3576
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 2136 -ip 2136
    1⤵
      PID:1928
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1432 -ip 1432
      1⤵
        PID:1952
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of FindShellTrayWindow
        PID:2636
      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
        "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:2032
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3984
        • C:\Windows\explorer.exe
          explorer.exe /LOADSAVEDWINDOWS
          2⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4400
      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
        "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:632
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
          PID:3104
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
          • Suspicious use of FindShellTrayWindow
          PID:4804
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:3276
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:4372
          • C:\Windows\system32\sihost.exe
            sihost.exe
            1⤵
            • Suspicious use of FindShellTrayWindow
            PID:3988
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:1508
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:3880
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2640
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:3948
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2120
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:4076
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            • Suspicious use of FindShellTrayWindow
            PID:3820
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:4720
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:3204
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:3852
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            PID:3868
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:4284
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:908
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:2988
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:2260
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            PID:2524
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:2160
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            PID:3404
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:3780
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:2348
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            PID:4428
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:2652
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:1340
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:1628
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:2948
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:3532
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:3340
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:3380
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:3868
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:4284
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:3108
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            PID:3960
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
              PID:1616
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
                PID:3664
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                  PID:5004
                • C:\Windows\explorer.exe
                  explorer.exe
                  1⤵
                    PID:5008
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                      PID:1444
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                        PID:4084
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                          PID:828
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                            PID:4824
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                              PID:816
                            • C:\Windows\explorer.exe
                              explorer.exe
                              1⤵
                                PID:3824
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                  PID:1332
                                • C:\Windows\explorer.exe
                                  explorer.exe
                                  1⤵
                                    PID:4000
                                  • C:\Windows\explorer.exe
                                    explorer.exe
                                    1⤵
                                      PID:4176
                                    • C:\Windows\explorer.exe
                                      explorer.exe
                                      1⤵
                                        PID:3412
                                      • C:\Windows\explorer.exe
                                        explorer.exe
                                        1⤵
                                          PID:1820
                                        • C:\Windows\explorer.exe
                                          explorer.exe
                                          1⤵
                                            PID:2996

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\ProgramData\eD21922KmPiH21922\eD21922KmPiH21922.exe
                                            Filesize

                                            414KB

                                            MD5

                                            da0f2ef0961da53b1365b5783434054b

                                            SHA1

                                            66c3ab4cc85514d63d89046092edf5d43e7ff4e2

                                            SHA256

                                            aef915b2d53903769528a06a22b121bb2227ceb119eebeb1bd8942e6e3d88259

                                            SHA512

                                            fec27af8c8b6102c1fbc54adc8f27aa5993ecb4e3dca16a2b44bcd9a6bd46c31af9568850417b8006da3e04c13d43af48f9e9558eae22845f52819f9ce3a12a4

                                            Download Submit

                                          • memory/1432-21-0x0000000000400000-0x00000000004D2000-memory.dmp

                                            Filesize

                                            840KB

                                            Download

                                          • memory/1432-22-0x0000000000400000-0x00000000004D2000-memory.dmp

                                            Filesize

                                            840KB

                                            Download

                                          • memory/1432-28-0x0000000000400000-0x00000000004D2000-memory.dmp

                                            Filesize

                                            840KB

                                            Download

                                          • memory/1432-35-0x0000000000400000-0x00000000004D2000-memory.dmp

                                            Filesize

                                            840KB

                                            Download

                                          • memory/1432-36-0x0000000000400000-0x00000000004D2000-memory.dmp

                                            Filesize

                                            840KB

                                            Download

                                          • memory/1432-37-0x0000000000400000-0x00000000004D2000-memory.dmp

                                            Filesize

                                            840KB

                                            Download

                                          • memory/1432-38-0x0000000000400000-0x00000000004D2000-memory.dmp

                                            Filesize

                                            840KB

                                            Download

                                          • memory/2136-0-0x00000000007A0000-0x00000000007A3000-memory.dmp

                                            Filesize

                                            12KB

                                            Download

                                          • memory/2136-1-0x0000000000400000-0x00000000004D2000-memory.dmp

                                            Filesize

                                            840KB

                                            Download

                                          • memory/2136-10-0x0000000000400000-0x00000000004D2000-memory.dmp

                                            Filesize

                                            840KB

                                            Download

                                          • memory/2136-19-0x0000000000400000-0x00000000004D2000-memory.dmp

                                            Filesize

                                            840KB

                                            Download