Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

6942c25e20...18.exe

windows7-x64

7

6942c25e20...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23/07/2024, 22:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6942c25e20fe4e18e7545ac2137f409a_JaffaCakes118.exe

  • Size

    112KB

  • MD5

    6942c25e20fe4e18e7545ac2137f409a

  • SHA1

    ae1ce8e5808b6919582423c8408692607e0c0902

  • SHA256

    54f2697220200b334a42b5800f841002629d78dab13ee49f2f6577847d0e276b

  • SHA512

    9004bf525104e7221bc1aca7eb76144a0ce679a35e885f8e1391fda5bc1bf723facba91e87e4e75476286440f8cbe9fef0d5304acbb4fffe09065392a551dedf

  • SSDEEP

    3072:MstjE+tiz2zy6YzVi6zz0/Q9qBnkn4wX42T0:6+wAy68V5WrRRMnY

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1104
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1152
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1200
          • C:\Users\Admin\AppData\Local\Temp\6942c25e20fe4e18e7545ac2137f409a_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\6942c25e20fe4e18e7545ac2137f409a_JaffaCakes118.exe"
            2⤵
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2228
            • C:\Users\Admin\AppData\Roaming\Erbud\ambi.exe
              "C:\Users\Admin\AppData\Roaming\Erbud\ambi.exe"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:2840
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe8debc87.bat"
              3⤵
              • Deletes itself
              • System Location Discovery: System Language Discovery
              PID:480
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1248
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
            1⤵
              PID:660
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
              1⤵
                PID:1744

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\tmpe8debc87.bat
                Filesize

                271B

                MD5

                5d70388b21b39a72ad455a3a347a6f94

                SHA1

                61e99af6a77f32d6451d11df1148cd57f15fbce1

                SHA256

                453d90835965baa9900d9f6172911c9e6ccf574359f27bee0deb97e319df3e86

                SHA512

                29a3474b8f82258b6b2c08d255dcc3007fe16247fbf9c07ee5439b3620f95b7e8428b17d5a15f37fb0494a7a3d6850c11e6b0fc63ba6baab2ab26d1c49724b6b

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Opigi\puony.siu
                Filesize

                380B

                MD5

                8efbe6c5ab0af95fa4dffaa02d0cee65

                SHA1

                2c3ef1f629e4234709e6b6da163fa8402c95241d

                SHA256

                213624e87b8bb1d5f5a21aed541e6dcd01cf25559ca8a3b4498e46d4cedde1d6

                SHA512

                dd789fc682d001740261eef0eefdb96397a3b11fe217fa9e8f197dd33bc63f030c079702ff001a444f6e46e4e32b95f3f06475441b983914a29af4c6c9936e03

                Download Submit

              • \Users\Admin\AppData\Roaming\Erbud\ambi.exe
                Filesize

                112KB

                MD5

                f300949ee9b894d4a47289ecafc6b173

                SHA1

                daba056b6409f7348875a827d40cc83d0a9753b3

                SHA256

                9161d337ef4ecb365d05aa2dece975b43a2b09feb9c455ffd2757618b30a5101

                SHA512

                fbb6c74c19a25446fd6b5bc4bc6d03da9768b592cb3a26e908c6ce8c4ed89a1166339f999e220bd80646bbc5d0054ddf1770b3d395a6443d3915107f23071548

                Download Submit

              • memory/1104-17-0x0000000001FB0000-0x0000000001FD6000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1104-21-0x0000000001FB0000-0x0000000001FD6000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1104-23-0x0000000001FB0000-0x0000000001FD6000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1104-19-0x0000000001FB0000-0x0000000001FD6000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1104-25-0x0000000001FB0000-0x0000000001FD6000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1152-32-0x00000000001D0000-0x00000000001F6000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1152-36-0x00000000001D0000-0x00000000001F6000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1152-30-0x00000000001D0000-0x00000000001F6000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1152-34-0x00000000001D0000-0x00000000001F6000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1200-42-0x0000000002500000-0x0000000002526000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1200-46-0x0000000002500000-0x0000000002526000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1200-44-0x0000000002500000-0x0000000002526000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1200-40-0x0000000002500000-0x0000000002526000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1248-56-0x00000000023E0000-0x0000000002406000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1248-54-0x00000000023E0000-0x0000000002406000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1248-52-0x00000000023E0000-0x0000000002406000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1248-50-0x00000000023E0000-0x0000000002406000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2228-141-0x0000000002820000-0x0000000002821000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2228-71-0x0000000002820000-0x0000000002821000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2228-0-0x0000000000400000-0x0000000000427000-memory.dmp

                Filesize

                156KB

                Download

              • memory/2228-5-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2228-1-0x0000000000470000-0x0000000000472000-memory.dmp

                Filesize

                8KB

                Download

              • memory/2228-4-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2228-3-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2228-10-0x00000000027F0000-0x0000000002817000-memory.dmp

                Filesize

                156KB

                Download

              • memory/2228-87-0x00000000774D0000-0x00000000774D1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2228-79-0x0000000002820000-0x0000000002821000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2228-77-0x0000000002820000-0x0000000002821000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2228-75-0x0000000002820000-0x0000000002821000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2228-73-0x0000000002820000-0x0000000002821000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2228-60-0x00000000027F0000-0x0000000002816000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2228-69-0x0000000002820000-0x0000000002821000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2228-68-0x00000000027F0000-0x0000000002816000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2228-66-0x00000000027F0000-0x0000000002816000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2228-64-0x00000000027F0000-0x0000000002816000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2228-62-0x00000000027F0000-0x0000000002816000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2228-165-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2228-2-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2228-166-0x00000000027F0000-0x0000000002816000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2840-29-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2840-282-0x0000000000400000-0x0000000000427000-memory.dmp

                Filesize

                156KB

                Download

              • memory/2840-283-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download