Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

6afd9c0138...18.exe

windows7-x64

7

6afd9c0138...18.exe

windows10-2004-x64

7

$LOCALAPPD...ub.dll

windows7-x64

3

$LOCALAPPD...ub.dll

windows10-2004-x64

3

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

RegistInstallCnt.exe

windows7-x64

3

RegistInstallCnt.exe

windows10-2004-x64

3

WinTool.exe

windows7-x64

3

WinTool.exe

windows10-2004-x64

3

uninst.exe

windows7-x64

7

uninst.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/07/2024, 08:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe

  • Size

    210KB

  • MD5

    6afd9c0138821dfae71915f9e3011864

  • SHA1

    20adc60e5bb551b2e56e3a6ecb061f40f62ed964

  • SHA256

    c8eff05ddf176ea6b12f5e973263f9eb2c5961300312873d328a18eb8995b504

  • SHA512

    6eba5505b5f1067df9b17ece16109d85809cde42dbc3b1cc8d038ac026455538eb69cc606fd079315b578c9f6a2f02f2fc19ca157f186012bbd9e5911acf9d56

  • SSDEEP

    3072:sgXdZt9P6D3XJR45bwA4n36s2tB+tpv2Yb5DaFOjDwHYOZF5V09sy24p7q0iK0sl:se34PePotb5ao3wVF5V0yAq0Qi

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 17 IoCs
    adwarespyware
  • Modifies registry class 46 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Program Files (x86)\WinTool\RegistInstallCnt.exe
      "C:\Program Files (x86)\WinTool\RegistInstallCnt.exe" -serverUrl www.utilheaven.co.kr -object /setup/ToolMacAddress.php?MacAddress=%s&partnerid=utilheaven
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2084
    • C:\Program Files (x86)\WinTool\WinTool.exe
      "C:\Program Files (x86)\WinTool\WinTool.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3628
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4420
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4216 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\WinTool\RegistInstallCnt.exe
    Filesize

    28KB

    MD5

    a13f46ce6314a6033024f51252270a29

    SHA1

    0f03027e24898a1462294853175a50870f294fb0

    SHA256

    a39d15ae4d9ca76665a9d32f484c6aa0512232e892d4a19b07b54ea9448ca499

    SHA512

    2d7487fa56a873346a24024c4098d11ea909e36d1dd429086652ad7c0a604cc29c58961f9fe2025509b806937ce1c6f2191fbb67cdd8e3f38c8810b3013dd48b

    Download Submit

  • C:\Program Files (x86)\WinTool\WinTool.exe
    Filesize

    48KB

    MD5

    9cc9a18f4f0ca6d8fbdbb8d5410f303b

    SHA1

    69ab499110d32112c15c5cb599fb31f21eb331d5

    SHA256

    14f68999325122f5fdeaba0c23a94eee68db9c462b6101acc1ffdcce308987dc

    SHA512

    b0f0f6b31954baf9baef2dc8f7b08daa9dc63a63853763b3576fb87eb3cb675e354e0257344b9532037b50569a696c76fe55c59e0df469b97189232d79c33567

    Download Submit

  • C:\Users\Admin\AppData\Local\WinTool\WinToolSub.dll
    Filesize

    252KB

    MD5

    3d73a5800f2af02ef1b3b34a36881227

    SHA1

    79e3a65dbb62e52bb934639a766919a8861b928d

    SHA256

    2c45fa1e78858464186bd35154e9cc655ea704ecaa8c87abe274d4d4e304488f

    SHA512

    c00999beb76d4059f560b0e986130d4c006a6366f9fb27e882a4441dd71902d6d3b763fc8487e678bde6dce491a260f5decc513ebde8154df18387959979a04a

    Download Submit