Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

76a486a3ce...18.exe

windows7-x64

10

76a486a3ce...18.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 02:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe

  • Size

    716KB

  • MD5

    76a486a3ce83acdba53132f1ad857ae7

  • SHA1

    e79f56abf817e54c2b44df025c5dfa592b950744

  • SHA256

    df442bce7867eb04d2d05587dbdd7de144710d201ffb532156748a7f3bac8ff4

  • SHA512

    f862aee17e78dc4863bcf58151a2ddaf15994072e7503cd443c8ec0ece1950adf455af4e5bf59b0d934338a78ec51ae6a4ab25d2f3370bfb375f47aabf974ecc

  • SSDEEP

    12288:LrgNANdEly2170FRY7kq5rfE5DWcoRdXu7Z4Wp9CbYXUR8L:QIur17YNKfEB3oK4Wp9CbRu

Score
9/10
bootkitdiscoverypersistenceupx

Malware Config

Signatures

  • Detected Nirsoft tools 2 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Executes dropped EXE 8 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops desktop.ini file(s) 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 46 IoCs
  • Runs regedit.exe 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:404
    • C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Runs regedit.exe
      PID:3508
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2952
    • C:\Windows\SysWOW64\regedit.exe
      C:\Windows\regedit.exe /s C:\Users\Admin\AppData\Local\Temp\bbhhhik.tmp
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Runs regedit.exe
      PID:4712
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$edbs.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1616
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3452
      • C:\Windows\RtkSYUdp.exe
        C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\."
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4896
      • C:\Windows\RtkSYUdp.exe
        C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\.."
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:456
      • C:\Windows\RtkSYUdp.exe
        C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini"
        3⤵
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • System Location Discovery: System Language Discovery
        PID:5060
      • C:\Windows\RtkSYUdp.exe
        C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\GOOGLE~1.LNK"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2116
      • C:\Windows\RtkSYUdp.exe
        C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\MICROS~1.LNK"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4488
      • C:\Windows\RtkSYUdp.exe
        C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\SHOWSD~1.LNK"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:800
      • C:\Windows\RtkSYUdp.exe
        C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4700
      • C:\Windows\RtkSYUdp.exe
        C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\WINDOW~1.LNK"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1200

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat
    Filesize

    361B

    MD5

    ee6683d37b35aefab668378230f6e956

    SHA1

    a0aa06d7d10963af58b44ddee5f8c177ff061917

    SHA256

    fb8e749b925ec65d3844e7ee48055fa6375b9fe988169fa8135ecb277452c2e2

    SHA512

    7ca13b1ef07a4763406aaac8a841baafd3a1054dbdd1b3a51a1a1f2a8247d47f17ce826e8ebe2468ed0d3399c7634452d89a6a99e8ab3eeec9653614ae8f33c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\$$edbs.bat
    Filesize

    59B

    MD5

    0cf180f20e716094bef34db0f1a39a04

    SHA1

    f8e9da5d8eaf347b240a77c6a9c4f494d4fc351b

    SHA256

    2a72298ec1d957d1d225aec50a4e6e32c5dec2f2645f25e580304e5c7ae5bb26

    SHA512

    a471fee35dfc685effb46fcc37d47d7210fad3fdba7cb5342b13e11f95ae7690e4053b3399bca6da7546015a479ce55a301c6934be8bab7ec9eae5aece8bdb3b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat
    Filesize

    1KB

    MD5

    f5ce77a1fe1093be0428776565201065

    SHA1

    d44b219f3bda9d844ea79d1949a02c088e035952

    SHA256

    4894cebd0f14cc42ee15ae47d6898eb71781408cb051b6083d3b52769a77db1a

    SHA512

    84d0e79f7fbfa4ebfd9fef4a2cdb1d051ca763b1d422f781bf5f041a864bc509d93ccc2992a8d96c51f0fdac976109a1c5fe2d1395aae5906f0e8ecb6ee6d2ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp
    Filesize

    1KB

    MD5

    185038ec1cc9a69a109726c8989e4cf5

    SHA1

    bfb62037297e8533e5f3940a32fb9505acf4fe26

    SHA256

    48ccff6cd96445619998a70fad77f5e655a9d146b93d0d160656619728c4e727

    SHA512

    bb0065a36a9bc48199943b21f3c3f10916fd15aa54201513f344464d962b5e6339e1df1b932043a914a662631f842a2f3b7a2c6e8c4e414567c5ea8ac9950391

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IEXPLORE.tmp
    Filesize

    1KB

    MD5

    88cac20e0e03eb12500a8887802ba99f

    SHA1

    9de3df04d13b5966fa2fcabc75d0b3885a0774f2

    SHA256

    c2b370747c3f4051c434d505ad18a491c755b26ed7d890dfe7458a2d4a6668b2

    SHA512

    33ff133cbc6fce40472549d9c64c72638eb9b5e74af8f8675afa38a42fedb3c1e76c2d63a19b344bc729ee2165e2d2d40913c711677995abf6a5a822dad7fabc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bbhhhik.tmp
    Filesize

    4KB

    MD5

    e65d0630e7c3363eff81fd64109c3dac

    SHA1

    062d18f42ff35760bed198d51c1056a42c22bfba

    SHA256

    286db12cc30d8834f18cbc2d72aab3cbc8ab4c515dc8f4e124c82eaa61e4061d

    SHA512

    d4921c73729c5a00f9f2348d93cd0db827ea17cb45295f0f0b05d99597a241dab7703b674dd107e7a9d15854765b279af7d4f6b7ab8c44a1e658e361c63c0559

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\Window Switcher.lnk
    Filesize

    64KB

    MD5

    fcd6bcb56c1689fcef28b57c22475bad

    SHA1

    1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

    SHA256

    de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

    SHA512

    73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

    Download Submit

  • C:\Windows\RtkSYUdp.exe
    Filesize

    30KB

    MD5

    d0cd586c5c857850a188e778b971f25a

    SHA1

    3f584fd89e41151c389b4701d876d2bdd2885fc2

    SHA256

    2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

    SHA512

    995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

    Download Submit

  • memory/404-0-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/404-1-0x0000000000C40000-0x0000000000C41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/404-65-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/404-66-0x0000000000C40000-0x0000000000C41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/456-40-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/456-41-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/4896-36-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/4896-38-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download