Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

783b7ef48c...18.exe

windows7-x64

10

783b7ef48c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 12:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    783b7ef48c143c666f9fcb4dd739dcab_JaffaCakes118.exe

  • Size

    76KB

  • MD5

    783b7ef48c143c666f9fcb4dd739dcab

  • SHA1

    2bad918412e368abded112374f73e740801824ea

  • SHA256

    aef2c9cd0e13058d9df670b898c3f2b85467c403dac2eeb4ac73cc33efa7ec26

  • SHA512

    0c44116ea662bc195e3362641aee93e17264eea52ce7599ec8894cec620d95ba7a93c9695dcd37af20f91af23ddd7ad2a8e9a71ec6fd3bbdcdd31f19ee981c3d

  • SSDEEP

    1536:fweqbQV6iz9dbIgc//////ChYg4c3LaOywAfd3PDcCgqjw0JVfPsxz2wjV:f6U6ynkgc//////C6c+OyDBTtvcB

Score
10/10
defense_evasiondiscoveryevasionexecution

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Executes dropped EXE 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 8 IoCs
    evasion
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\783b7ef48c143c666f9fcb4dd739dcab_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\783b7ef48c143c666f9fcb4dd739dcab_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4636
    • C:\Windows\SysWOW64\net.exe
      net stop "Security Center"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2556
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2984
    • C:\Windows\SysWOW64\net.exe
      net stop "Windows Firewall/Internet Connection Sharing (ICS)
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)
        3⤵
        • System Location Discovery: System Language Discovery
        PID:208
    • C:\Windows\SysWOW64\Net.exe
      Net stop System Restore Service
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2644
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop System Restore Service
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1496
    • C:\Windows\SysWOW64\sc.exe
      sc config ekrn start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:3532
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ekrn.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2612
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im egui.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4312
    • C:\Windows\SysWOW64\sc.exe
      sc config NOD32krn start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:1688
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im nod32krn.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2012
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im nod32kui.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4808
    • C:\Windows\SysWOW64\net.exe
      net stop "Security Center"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4588
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4012
    • C:\Windows\SysWOW64\net.exe
      net stop "Windows Firewall/Internet Connection Sharing (ICS)
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2224
    • C:\Windows\SysWOW64\Net.exe
      Net stop System Restore Service
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4348
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop System Restore Service
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2304
    • C:\Windows\SysWOW64\sc.exe
      sc config ekrn start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:4732
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ekrn.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:716
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im egui.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3076
    • C:\Windows\SysWOW64\sc.exe
      sc config NOD32krn start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:1584
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im nod32krn.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1332
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im nod32kui.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1652
    • C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
      C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\_uninsep.bat
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4616
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\_uninsep.bat
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1644
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del C:\NTDUBECT.EXE
      2⤵
      • System Location Discovery: System Language Discovery
      PID:208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
    Filesize

    10KB

    MD5

    2b6d4988f6ee560e6b55c2e0f60b9edc

    SHA1

    47d74390150386fdd2a6afc90c49bd4f00dffda2

    SHA256

    d7be7452d1ab413ce22504f85dd043b256b56e624543753001d11c2e437fdbe3

    SHA512

    bb06039f27ec3fbb3d0ff020a219e8f4a0ea4e3db0472f673a9eea683a85cf365ad1ddbee7279a972395769fc9b4be4c3db701a3470de819480ba9e286871af3

    Download Submit

  • \??\c:\_uninsep.bat
    Filesize

    128B

    MD5

    518f996fb53ecd3d3748db8708c21908

    SHA1

    4c8834441fdcb4898d9d0607e9a9dfd2477a8bfa

    SHA256

    3770f9b5c752a17164ac0a8d361b01862ab186c2732cb659ce2519280bec79d4

    SHA512

    7ac8e8066ceefebf7dfd83ce877461a45ae0b1802883ae7b319c5b756cc65a4a58814370d381ec97338a9c18f49bf7966430f6d72ff2e27d6b844a56edfab6c4

    Download Submit

  • memory/4636-0-0x0000000008000000-0x000000000801B395-memory.dmp

    Filesize

    108KB

    Download

  • memory/4636-10-0x0000000008000000-0x000000000801B395-memory.dmp

    Filesize

    108KB

    Download