Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

69a8abd71b...18.exe

windows7-x64

8

69a8abd71b...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    24/07/2024, 00:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    69a8abd71b135b53dbae1c43076902c1

  • SHA1

    d9f5c3c92f1996a972d2a8e2cbfa494a2598d960

  • SHA256

    14935216d45b2e4a4c0883237dadcd4489a2ab1b1e9908f1f54d383523a47012

  • SHA512

    cf06bf6501c0e0124d75189f47e80abd13295377718861d2c584e0b7a8c7d3d17a8713fa9b4a494aa2cafd239613cb6581c4a747c2e2fddedf56c82c8ef71655

  • SSDEEP

    24576:0J94Ob3Cx0i0o6zsday2COaHVHn/e6af4fVjbHomTOyzdI/CMgDb:0Jzyx0bsS2HVHn/VafeVjsuOkdI/M

Score
8/10
defense_evasiondiscoveryevasionpersistenceprivilege_escalationupx

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 8 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 14 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 32 IoCs
  • Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs
    defense_evasionprivilege_escalation
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_updater_run" dir=in action=allow description="updater run without uac" program="C:\Users\Admin\Desktop\ITx__Updater.exe" enable=yes protocol=any profile=public,private
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="ITx_updater_run" dir=in action=allow description="updater run without uac" program="C:\Users\Admin\Desktop\ITx__Updater.exe" enable=yes protocol=any profile=public,private
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2968
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_jobs_64" dir=in action=allow description="jobs 64" program="C:\Windows\debug\ITx_jobs_64bit_v5.exe" enable=yes protocol=any profile=public,private
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="ITx_jobs_64" dir=in action=allow description="jobs 64" program="C:\Windows\debug\ITx_jobs_64bit_v5.exe" enable=yes protocol=any profile=public,private
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2608
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_runasti_64" dir=in action=allow description="runasti 64" program="C:\Windows\debug\ITx_RunAsTI_64bit_v5.exe" enable=yes protocol=any profile=public,private
      2⤵
      • Access Token Manipulation: Create Process with Token
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="ITx_runasti_64" dir=in action=allow description="runasti 64" program="C:\Windows\debug\ITx_RunAsTI_64bit_v5.exe" enable=yes protocol=any profile=public,private
        3⤵
        • Modifies Windows Firewall
        • Access Token Manipulation: Create Process with Token
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1072
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_updater" dir=in action=allow description="updater ITx" program="C:\Users\Admin\Desktop\ITx_updater.exe" enable=yes protocol=any profile=public,private
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="ITx_updater" dir=in action=allow description="updater ITx" program="C:\Users\Admin\Desktop\ITx_updater.exe" enable=yes protocol=any profile=public,private
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:3036
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_kms_1" dir=in action=allow description="kms file 1" program="C:\Windows\AutoKMS\AutoKMS.exe" enable=yes protocol=any profile=public,private
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1052
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="ITx_kms_1" dir=in action=allow description="kms file 1" program="C:\Windows\AutoKMS\AutoKMS.exe" enable=yes protocol=any profile=public,private
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1060
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_kms_2" dir=in action=allow description="kms file 2" program="C:\Windows\Temp\SppExtComObjHook.dll" enable=yes protocol=any profile=public,private
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:572
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="ITx_kms_2" dir=in action=allow description="kms file 2" program="C:\Windows\Temp\SppExtComObjHook.dll" enable=yes protocol=any profile=public,private
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1968
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_checker" dir=in action=allow description="Nu Ma Uita" program="C:\Windows\debug\NuMaUita.exe" enable=yes protocol=any profile=public,private
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1048
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="ITx_checker" dir=in action=allow description="Nu Ma Uita" program="C:\Windows\debug\NuMaUita.exe" enable=yes protocol=any profile=public,private
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2136
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_downloader_updater" dir=in action=allow description="downloader updater" program="C:\Windows\debug\ITx_downloader_updater.exe" enable=yes protocol=any profile=public,private
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="ITx_downloader_updater" dir=in action=allow description="downloader updater" program="C:\Windows\debug\ITx_downloader_updater.exe" enable=yes protocol=any profile=public,private
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\debug\downloads\ITx_updater.ini
    Filesize

    435B

    MD5

    b9949ee1474ff64ab49797d1b600cd5a

    SHA1

    af3773cd67e5ef6fd3946ec637df012fbe92b859

    SHA256

    f95b9589c1c5e331707503e48a4c818745c4a8a0477b1bb517c5c609f7a14094

    SHA512

    8c6835a12f019aa9668f765d2218bd55cf99e2ee4e2202641cfc5a4ffa8b1ee42257c2705dc903a3aca1e9f9511b85d3fc17017b95c1a5ae6be62e9d8ac43970

    Download Submit

  • C:\Windows\debug\l0gs\KB2737083.log
    Filesize

    62B

    MD5

    3ac2008f896a8778d254e2184799debe

    SHA1

    f486d8ffd82c87a94d8537f95b00d61669972865

    SHA256

    3a3b8862266eb491386d7533d4e40773ec6411a4c5b4f84ea98a86a484b87007

    SHA512

    a7751d4f2f47fb30cd5450d560bbb570f34fd0d4eebf6222ef82f320712f14e11d68a2d7c84fb6abd044772c75d6740fb3fe65ef1bd98d8d8f4e40541b7706e6

    Download Submit

  • C:\Windows\debug\l0gs\KB2742613.log
    Filesize

    62B

    MD5

    2087e6ac683fa46c02fae527a825c371

    SHA1

    739284a7922100221441fa9879a1bb4692c40314

    SHA256

    11fc4b649425dc650f72acd0e0197a6648c0fab2a1f84a53935dee2db736dd69

    SHA512

    b024b0e7c9dbd1a893c2a35293aee93976dae70af5312b1a73a62c251d953637a5a297259847847c918ff80297ead36a4e31fcaec0a83e8e5c7559632be501bb

    Download Submit

  • C:\Windows\debug\l0gs\KB2750147.log
    Filesize

    62B

    MD5

    f8c3d6e402d0ba479c8fff2cd472b1a5

    SHA1

    ab6174e1af9dc4cabcb96b24024c690be12fbaaa

    SHA256

    0a06b89043cb4c928ff5f90ae5ca1e780dc6d6daa6346d5b9d482aa6e3a1d42c

    SHA512

    1529b3159c5923f45114a315e7918806212c04c75978a31c3419375ca5159937ab932c282ef7b1f196eaeb8c55edfee8f6893a4b9faad2d0b655c58fad6409d6

    Download Submit

  • C:\Windows\debug\l0gs\KB2789648.log
    Filesize

    62B

    MD5

    5849007e71373d7688513fbe26f010b9

    SHA1

    74324319c774d5d9151758bd7b3c8c50027bc0a4

    SHA256

    62a4f24cf693a16146bd5331ac841da496577b61408e5b0cfddd9a5e53617f04

    SHA512

    bc8247edb466a92f051d21bac30eefde42193b6f6c535feecd1d2a4a3b8dce7bab6d37b2b742fef088b72c0814cbe0f83ae2f50ee32f3432ebc738f6fc14c599

    Download Submit

  • C:\Windows\debug\l0gs\_Office_2010.log
    Filesize

    69B

    MD5

    389c5f66e8b220121b900933bfb3b067

    SHA1

    ee8ee327bf02801930463e73c10bcd02b7a0f7c3

    SHA256

    58e42d01517b5af9885a6e7f64b0ec3fa25f27fc97a4bbfa1f931ac3dba9ecf8

    SHA512

    b3892cf520dd1ba02ddd30bfae7af05328557c29e9afafb5fa2aa0aa704678d8daa452bedafc639bfd279899c140f34123963d2db9c0528d31b94182786ece7d

    Download Submit

  • memory/2728-156-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2728-159-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2728-154-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2728-155-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2728-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2728-157-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2728-158-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2728-81-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2728-160-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2728-161-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2728-162-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2728-163-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2728-164-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2728-165-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2728-166-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download