Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

8891f4022f...18.exe

windows7-x64

7

8891f4022f...18.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

FunshionInstall.exe

windows7-x64

7

FunshionInstall.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/08/2024, 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    8891f4022ff23fbf7e4c783ecb318b46

  • SHA1

    86a70dfca73d529d95c39418df80376b1e29de02

  • SHA256

    ef35ac2b2e72a54b987a95682fc47faaa06ad0e93520e8122e933702dfdb117c

  • SHA512

    b081a397077ed18e1c3fc6f0ffcbdae9282310db6d6483f32a8c37006ffe166bb265c2c6dcb20acff5a597c3b8785103091a7d6e21be301c6ab2cb5b736dbe9a

  • SSDEEP

    24576:/RXutlSbt0UXW7ISMBG4ywCv0GRxrwaL8vHy3MGC:/kg+b7uIxwaLOS3Mx

Score
7/10
discoveryupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 22 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
    adwarespyware
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Windows\SysWOW64\fzluc\FunshionInstall.exe
      C:\Windows\system32\fzluc\FunshionInstall.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:808
      • C:\Windows\SysWOW64\msn054.exe
        "C:\Windows\system32\msn054.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3948
        • C:\Users\Admin\AppData\Local\Temp\6.exe
          "C:\Users\Admin\AppData\Local\Temp\6.exe" 7854
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4724
      • C:\Windows\SysWOW64\66.exe
        "C:\Windows\system32\66.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1280
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\66.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1900
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s 66.reg
            5⤵
            • System Location Discovery: System Language Discovery
            • Runs .reg file with regedit
            PID:1488
      • C:\Windows\SysWOW64\cfkk.exe
        "C:\Windows\system32\cfkk.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4596
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.fzluc.com/explorer.htm
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4448
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.fzluc.com/explorer.htm
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4912
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4912 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2776
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.2d2d.net/qq.htm
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3332
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.2d2d.net/qq.htm
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4528
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4528 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:992
        • C:\Windows\SysWOW64\coopen_setup_100067.exe
          coopen_setup_100067.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:3244
      • C:\Windows\SysWOW64\p.exe
        "C:\Windows\system32\p.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4452
      • C:\Windows\SysWOW64\z.exe
        "C:\Windows\system32\z.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E8134084-5785-11EF-8D5B-5E50324ADEFE}.dat
    Filesize

    4KB

    MD5

    230a4d147a770ec837e627302f18a9ec

    SHA1

    5b35c3328664914990501ce85e1a86a4837aa895

    SHA256

    0dc5432c374a24061059544cf3adc474d51f7f7ef542b5d866480a534305a4dc

    SHA512

    183fae0eb3b2185f54b63b10933434260cc194690bb386ffc838f3aa1474293f2c3b029d9dade36d4716dc4c73c64f6d4fae0d59b360886e1534bc0081909000

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E8136794-5785-11EF-8D5B-5E50324ADEFE}.dat
    Filesize

    5KB

    MD5

    0f188e3adf949c74e7ac0c24cbc12e4f

    SHA1

    2613e279afc225f97d41f76cb1eb551752e01664

    SHA256

    481e85f78de024642fcfabe24b41b789b15567e60b218bdb1362ce634a681726

    SHA512

    71b734c96efe7a70916d44d452191d38d6ae2585e6bbd53dcdb5c862959176417efaddfed617ff4646a940c039eb14ef719d49ec75db86fe52fac8c2d451a359

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2C1C.tmp
    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B9AWTLKS\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\6.exe
    Filesize

    53KB

    MD5

    0aa2eeba570f7fae09c21d5bc1a5ad55

    SHA1

    add5347a2472a20aa2ce287fe26fbbdf0f6a40c0

    SHA256

    8ad94ac212ba3d41195ea105478eb4a6cd134bfc1ad6a608b1a7c469293d1d70

    SHA512

    1c2f617372c680110bbb9dc92d9c4163433c2e774625f45104dd2a2ed1f7b5dbf4a0876817da0f3a3247db06630cd32a3ee452bf67d98dae96712a947abadf1e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsa7978.tmp\Banner.dll
    Filesize

    4KB

    MD5

    5ce60830e6db34a33f12be5018b21ca2

    SHA1

    1a4f855b358884d0c67053ec606a5a68aadf75b8

    SHA256

    8a039174ce882841a97df0871f94e22ebfc5111ac614eb05baf10cd1fd5d8c1a

    SHA512

    e6590fc8c365e98c6eb59ffcfab6931423b0603ec68b5c10f38004b879c5f3af3ee05d89b88f6fc480236abc9af4945e3146e9017bbd94ca8deac02145b7d903

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsg7CA3.tmp\System.dll
    Filesize

    10KB

    MD5

    bf01b2d04e8fad306ba2f364cfc4edfa

    SHA1

    58f42b45ca9fc1818c4498ecd8bac088d20f2b18

    SHA256

    d3f9c99e0c1c9acd81a1b33bc3dbd305140def90d10485c253cf1d455f0dc903

    SHA512

    30ca1663d659c5efac7fed3d1aaba81c47d5d5fda77f30f021124c882b858732e17f917bfd0aa3ee7b269fad86e75b1b9388d8f916e7a4e2c9961669f2c772e7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsq7C46.tmp\System.dll
    Filesize

    9KB

    MD5

    afd989ef7eec6bf952bedfce541fe236

    SHA1

    5654b71c5b1089c2cec6381d8da5bd14a14e1a37

    SHA256

    5e97602008ba004c72d58f71e77ffe0a0ea01103867eb12a9ec0f28e72f440d8

    SHA512

    f4e3d88477d39218667dd482a08904b2b69435db7d1fdd492380544aff83895d393a288c329da69074b69c68f51db45f694dfea81fc12fa2042ed43b3d06440c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsyB5E4.tmp\InstallOptions.dll
    Filesize

    12KB

    MD5

    08c82a46416a5e2b471d457968f53816

    SHA1

    3e3897c20b9e89b279b4764a633f67955bf8f09a

    SHA256

    435baf3b7282c9110697a4916834ef9371dd29fae6b4cb8e19c19eb126562dc9

    SHA512

    91e2055b91d04b2348a923cb298ac6ba3637de5038dc4f849c4d2f1665d17de9cd6eb6a97d42d0f894d65348c8fd8e79cd61b667ea5a78e8960347e8cc8db81d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsyB5E4.tmp\System.dll
    Filesize

    10KB

    MD5

    61151aff8c92ca17b3fab51ce1ca7156

    SHA1

    68a02015863c2877a20c27da45704028dbaa7eff

    SHA256

    af15ef6479e5ac5752d139d1c477ec02def9077df897dadc8297005b3fc4999d

    SHA512

    4f5c943b7058910dc635bdcfadfea1d369c3d645239d1a52b030c21f43aac8e76549e52fd28e38ba5341d32aefe3c090dd8377d9e105ad77f71ab8870d8e326e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsyB5E4.tmp\ioSpecial.ini
    Filesize

    613B

    MD5

    b554497fc4d1c48c7df8b5b42a4c210f

    SHA1

    9588c79c6a6968a6a9a9ee47714fba4fbe323152

    SHA256

    39e11d5ba14d0158333d9d4bdb61cbfd72db37ea183ee31e99c8220ae6ef410c

    SHA512

    42cb84d59d652c968eef920e0e88b3d263df5824771ed6d5419cadb7dd7ec1b11eb4b02135d39c9916d6c0f206d54e153c758592dc03a20f4645fdce6bce9633

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsyB5E4.tmp\ioSpecial.ini
    Filesize

    649B

    MD5

    7cff6a01ff7e1cb0abc31db676cb06f4

    SHA1

    423dd9df3c3042e38c79cfaa6f84cb3dee6ddbdb

    SHA256

    2e719cc0b168009d7f4ebd1243b9f09df66aaf01bd2bb8a31d0f84ab59a8f73a

    SHA512

    9615ab6a8ac6b82250029188918f2cd75f576d7cb6f878d765c6d464779bec9e5c79da2a814efc5a11781cd5535a20edbfe3c77d1d592cb012686903f6133d68

    Download Submit

  • C:\Windows\SysWOW64\66.bat
    Filesize

    35B

    MD5

    25cbf5fe338535de8ee41ad00521c85d

    SHA1

    974402d7af3ff2d99ce761ddac6936ece0d5f1fe

    SHA256

    97bdb7035decc3eaaaee49e9c0cfaf938a8bf7cb18829e6aa64b08ba1e5fb8dc

    SHA512

    1e867c9e3207eb7ddc962e19656ae36cef5ace44cd5be482df656dec69d70c8a485266b0e7d392e7fe85271faf8639bf0516b7a9827740b710f90cf94af33f68

    Download Submit

  • C:\Windows\SysWOW64\66.exe
    Filesize

    107KB

    MD5

    48ebcf8e1fb241b1606503681db0929c

    SHA1

    181cdafb12492006328d44005e0176b0d5dcd659

    SHA256

    8bc4dfec55f068786bed2a1823947c1bb69e92500105efc7ad7fe03aa1217e42

    SHA512

    9cd2109a353c72b304dd63f4dac0b2a00aa931d32112af6fdff569fe6d0b408dbbc0ab2504a4cecc15cfcc3d6e5fa5da1ab6e4ddae893252593315f5e2e553de

    Download Submit

  • C:\Windows\SysWOW64\cfkk.exe
    Filesize

    250KB

    MD5

    98d1fec11a0aecbc609b6e4f54605806

    SHA1

    917e92c53496be174c3e7954d0035db5cd362acb

    SHA256

    6c6911528124c524b77eba811c5e4e6783043daf138a19e17da68ea089debc62

    SHA512

    8a62552b7ed0305ad955dd688aae8cb6c94c08f2dae7a004fa96fa834a1dcea5f0c9814a44686a719336e1a10be1f1e1ad11ca4e27657aacf253cf5b123ae99c

    Download Submit

  • C:\Windows\SysWOW64\coopen_setup_100067.exe
    Filesize

    914KB

    MD5

    0ed46aa6a317bf47a58ab95cc6761e93

    SHA1

    8f8bbebdf82c90748c7edc24a98b6390af6dd222

    SHA256

    6ccc49b0d7c51a5d5bd95ab775d4f2047af0d3358396cf603f04bba28ab6a2a5

    SHA512

    072706ac2790ab418c8e7c5d748a489a228ad63ff025e905d3ca29038ac7a9f9e816e254274067ff0b31cc64e8ed826ea226a5bdc0262a9254f48e6007aff244

    Download Submit

  • C:\Windows\SysWOW64\fzluc\FunshionInstall.exe
    Filesize

    1.8MB

    MD5

    246f26a450102b53e87f360c6c328f66

    SHA1

    fa8f3a51d31b785c7865771fe78c1287f324b35a

    SHA256

    ae36ddd69548deb664d26a0e2a800af4b01a04d13ea3e1b997da14c4a365c0b7

    SHA512

    daff81fce5b947ec1ef7c336ad04da9556cb7fafc07d81408aaacedf2e41c398eaa4c2e2de9a076244a6812e9033db6426c2954d03008d0d857c55857ea7e7a7

    Download Submit

  • C:\Windows\SysWOW64\msn054.exe
    Filesize

    83KB

    MD5

    d7d65643b8a2fac2f2ef6d8cb3d0a394

    SHA1

    d4de8ef24f80a7182c3bc3075a5d5d5c08996951

    SHA256

    6e4378b059b9a06e60b1d4692a7db8b27eebb612a736cdf6d24f2ec11ce5352d

    SHA512

    1859244869b1ec338e2faef6d0682a1f1cc6da913cf5e215c544b0c861a5daa6669ec22b2a40e05e16c63925a63c9c5065c1383f6505900748eac0d6b4fb814d

    Download Submit

  • C:\Windows\SysWOW64\p.exe
    Filesize

    250KB

    MD5

    93df99ebeeb59896f862837c105c7659

    SHA1

    9cd0cf39ac2cd61a9a258cca6f3cef3379c22372

    SHA256

    44d0be642cec26515473ad39a15f62dfb25efd5ab94a6b5e115d759b6338b7b7

    SHA512

    b3a672878241bddc1c59cee4bcf16c9d437c721819a3a4e1c2f0db1b015847f9e85dec19570a83d2aa0a53afc57f1a26e42774a6d3ed3174d2d429594dc0f956

    Download Submit

  • C:\Windows\SysWOW64\z.exe
    Filesize

    250KB

    MD5

    473801e9358ff5969ae840566001f278

    SHA1

    8593d24e6ac4069b58575b27e99c7a3db9c1d82f

    SHA256

    cd00ea08b6966175f31e1f95fb20c8c8b5040018773c608981bfbf4e35ec415c

    SHA512

    3672a5f0164635d64b1b4dcf18b10170f5641c53c60b10588ac4160e1a5565c563cdc9539e998f2839557afc0c1a8933ee6d13e22309ac8470fc91aad5b5f91b

    Download Submit

  • memory/808-209-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/808-76-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1280-75-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1588-208-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/1588-109-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/1588-257-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/1588-261-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4452-207-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4452-242-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4452-245-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4452-105-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4596-206-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4596-94-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download