Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

83ef1d7992...18.exe

windows7-x64

7

83ef1d7992...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/08/2024, 23:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83ef1d799261ed45ad00488f7210639c_JaffaCakes118.exe

  • Size

    240KB

  • MD5

    83ef1d799261ed45ad00488f7210639c

  • SHA1

    71e28eb94341a1d8c77d159d95c72e1f3ea62705

  • SHA256

    9894be6e64187c5b681d5c0505b02d19926ff67ecce0f6f7bb4d94c28689b7e6

  • SHA512

    9cd5623190ab4f1f1f8daacd3ff80cb3e9b28b890f030b56659333a86c65246d22d962aae8aa8b0a86574fc707c96b2ca59d71253123209b6526c53ccd4f5ce2

  • SSDEEP

    6144:tZy5BoKvoyi7NGm9yCqSwDvQkqj+pyvBM790:jYe0LT0K8tj+Es0

Score
7/10
discoverypersistenceupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\83ef1d799261ed45ad00488f7210639c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\83ef1d799261ed45ad00488f7210639c_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Local\Temp\83ef1d799261ed45ad00488f7210639c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\83ef1d799261ed45ad00488f7210639c_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\83ef1d799261ed45ad00488f7210639c_JaffaCakes118.exe"
        3⤵
          PID:1012
        • C:\Users\Admin\AppData\Roaming\1.exe
          C:\Users\Admin\AppData\Roaming\1.exe
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Windows\SysWOW64\svchost.exe
            "C:\Windows\System32\svchost.exe"
            4⤵
              PID:2816
            • C:\Windows\Svchost.exe
              C:\Windows\Svchost.exe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Drops file in System32 directory
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2860
              • C:\Windows\SysWOW64\regsvr32.exe
                regsvr32 /s "C:\Windows\system32\mswinsck.ocx"
                5⤵
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                PID:2908

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\mswinsck.ocx
        Filesize

        105KB

        MD5

        9484c04258830aa3c2f2a70eb041414c

        SHA1

        b242a4fb0e9dcf14cb51dc36027baff9a79cb823

        SHA256

        bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

        SHA512

        9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

        Download Submit

      • \Users\Admin\AppData\Roaming\1.exe
        Filesize

        150KB

        MD5

        8a6ae017f002a7d9bd39cc4755ee8771

        SHA1

        7de6f53904a48956f8e2ecf91c5dd20b9e7b46f5

        SHA256

        e97f9845b38daae0d5b495cee21afa8ca20476c4122523256ee44ddb79715356

        SHA512

        1b9253013afebe61a685470a508ebae409311f8230cb65182fc16d8ed68bbaa891edad0e1a36401d878c46044df203c715c5c47acb70290a278d71d3818b6662

        Download Submit

      • \Users\Admin\AppData\Roaming\kernel33.dll
        Filesize

        1.1MB

        MD5

        e14ba6a9464bed1127c50214acaf0c1a

        SHA1

        3eeda63ac8209ffa2e1beeefdde6531e61f8dc4d

        SHA256

        fd250c2054019c58dd71ac4469ee821b67dfa36a439091ad17969f6d4090da38

        SHA512

        55a7ad5ea8617e8066b2854556e54e1688c70d80b6921eab3020a1bb6cc741320f5f0d63cf067864505877e010d69caa2a7bff890dd037da7efbc3e679ab9c26

        Download Submit

      • \Windows\SysWOW64\zlib.dll
        Filesize

        27KB

        MD5

        200d52d81e9b4b05fa58ce5fbe511dba

        SHA1

        c0d809ee93816d87388ed4e7fd6fca93d70294d2

        SHA256

        d4fe89dc2e7775f4ef0dfc70ed6999b8f09635326e05e08a274d464d1814c617

        SHA512

        7b1df70d76855d65cf246051e7b9f7119720a695d41ace1eb00e45e93e6de80d083b953269166bdee7137dbd9f3e5681e36bb036f151cea383c10d82957f39c5

        Download Submit

      • memory/2556-51-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2556-33-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-77-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-79-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-93-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-91-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-89-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-87-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-60-0x0000000010000000-0x0000000010014000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2860-85-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-57-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-83-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-81-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-67-0x0000000010000000-0x0000000010014000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2860-66-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-68-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-70-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-71-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-73-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-75-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2960-2-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2960-12-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2960-10-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2960-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2960-6-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2960-39-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2960-32-0x0000000000370000-0x00000000003C8000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2960-4-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2960-26-0x0000000000370000-0x00000000003C8000-memory.dmp

        Filesize

        352KB

        Download