Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

5fc17490c9...18.exe

windows7-x64

10

5fc17490c9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2024, 08:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    5fc17490c95c2ff2641f5543f3ce1dea

  • SHA1

    d39b139c9cca542f423623f85a8c1833dad34902

  • SHA256

    beefe556c769966d5fb10ffb888c5d4983dce84185ba47ecc5a5ff4b36006d46

  • SHA512

    54eae9e1d2070e133d0e41e1f8d10530ac84aca04d8fb62c5a1e53a5f3ba3d082963b04158ce3a15c3ca425d553e46d1d122bff637aba71f80a86b2434843937

  • SSDEEP

    24576:lPWmOKWvpckja5YOXEbj+Veniiv1gOpJ8Y3Sdr:lP2KWGzxiv12

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 8 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe
      "C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Users\Admin\AppData\Roaming\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\0.0.0.0\msnmsgr.exe
        C:\Users\Admin\AppData\Roaming\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\0.0.0.0\msnmsgr.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2172
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2588
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • Modifies firewall policy service
              • Modifies registry key
              PID:1148
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2596
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • Modifies firewall policy service
              • Modifies registry key
              PID:2584
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1540
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • Modifies firewall policy service
              • Modifies registry key
              PID:1196
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2540
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • Modifies firewall policy service
              • Modifies registry key
              PID:2804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\0.0.0.0\User32.dll
    Filesize

    18KB

    MD5

    5fa07d6c6384d703766d7935de68850e

    SHA1

    62f28a572b4d1d359db7017235912ad2599b8c1d

    SHA256

    120e15dcc4a957649553cd92a5477db9dcbfd9a2cd821e1c904044b5a92d726f

    SHA512

    7775375f44e0cb00f9bffc023d797dbdb01ebe8429ccfacd7df57beb04427ef309c192d571051242aad1bc400f721f449f86deeb1e5f5d64b6f516bf24e92cc4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\msnmsgr.exe
    Filesize

    760KB

    MD5

    43cad5f1c98c84a4bd4b9825e7ce1cbb

    SHA1

    1e37248419ac06e1cefd5238c7e5945af41ee3eb

    SHA256

    c704cf2ac3792a28a7b325e28bbd839a7a9cd3ebe950f42487b7f4dab8757cba

    SHA512

    d8e3d1fc5a06fe0cf50ce980b4ff7f3c56c33464a759f7a215482ee66e0a524e0975db0b3116ef53d04df41d674df3a07d6badb9dd36b99f12aaa5e048191e02

    Download Submit

  • memory/1828-0-0x0000000074181000-0x0000000074182000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1828-1-0x0000000074180000-0x000000007472B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1828-2-0x0000000074180000-0x000000007472B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1828-14-0x0000000074180000-0x000000007472B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2280-15-0x0000000074180000-0x000000007472B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2280-29-0x0000000074180000-0x000000007472B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2280-51-0x0000000074180000-0x000000007472B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2776-43-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2776-55-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2776-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2776-38-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2776-36-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2776-52-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2776-53-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2776-40-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2776-56-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2776-57-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2776-58-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2776-59-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2776-60-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2776-61-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2776-62-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2776-63-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download