Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

8c5aba2468...18.exe

windows7-x64

10

8c5aba2468...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11/08/2024, 23:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe

  • Size

    100KB

  • MD5

    8c5aba2468c0407e10d685178b8a9955

  • SHA1

    a62dc986113da484bc29ff3d706438d1d84c8783

  • SHA256

    45a388fcd3232331aa629fd23a5657162336a79b3a9c5c0af345b9a95d56c826

  • SHA512

    664d9592b6d6537518121777366e3d411edbfe719c4999ea9bbfed3cc780f9b0395da388e4289e94efa2523a0fb9ff30979460ad4d24882e7496a2e5d331e4c0

  • SSDEEP

    3072:p8rYUCvj0RDw7R34Q3tyIMgQrjC7RBOaZN59:MYWK5OP0Gabj

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1108
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1172
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1220
          • C:\Users\Admin\AppData\Local\Temp\8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Windows security modification
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2808
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1920

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Replication Through Removable Media

          1
          T1091

          Execution

          Persistence

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          4
          T1562

          Disable or Modify System Firewall

          1
          T1562.004

          Disable or Modify Tools

          3
          T1562.001

          Modify Registry

          5
          T1112

          Credential Access

          Discovery

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          1
          T1012

          System Information Discovery

          3
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Replication Through Removable Media

          1
          T1091

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • F:\ruiyct.exe
            Filesize

            100KB

            MD5

            1b61a91ca23731fa9d990c5fd26bcb51

            SHA1

            9edc1069ccabc8e47335c0b051f19d902be989e8

            SHA256

            8df49a6509cfb3341ca5db4c4135f0252e64afbdce1e8ed5cab4165040fb533f

            SHA512

            fc7a4213fcec19e4f0bb849e11c9ac135dad458a80069f07ba474e1e9f3a2a07d7f43e1d17eb5d6e931c6d22a537d71b011701cf0c79f09b5fef40fffb6e7838

            Download Submit

          • memory/1108-11-0x0000000001F90000-0x0000000001F92000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2808-30-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-25-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-7-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-27-0x0000000002FA0000-0x0000000002FA2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2808-9-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-6-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-26-0x0000000002FA0000-0x0000000002FA2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2808-5-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-3-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-24-0x0000000003420000-0x0000000003421000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2808-22-0x0000000003420000-0x0000000003421000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2808-21-0x0000000002FA0000-0x0000000002FA2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2808-8-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-10-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-28-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-29-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-32-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-0-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2808-61-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-34-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-35-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-37-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-38-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-41-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-56-0x00000000002B0000-0x00000000002B2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2808-55-0x0000000000530000-0x0000000000531000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2808-57-0x00000000002B0000-0x00000000002B2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2808-59-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-31-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-63-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-65-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-66-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-68-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2808-89-0x0000000002FA0000-0x0000000002FA2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2808-113-0x00000000002B0000-0x00000000002B2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2808-4-0x0000000001D60000-0x0000000002DEE000-memory.dmp

            Filesize

            16.6MB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.