Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

8daa8d5d9e...18.exe

windows7-x64

10

8daa8d5d9e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    12/08/2024, 06:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe

  • Size

    460KB

  • MD5

    8daa8d5d9ee0fbf93fdf60435d60d0d3

  • SHA1

    6bab26b5931fb3127ec12c85c311c1aea248d3f6

  • SHA256

    927da89a8d07a6c470479e23f8716a960d66ed84388a5c8ac4c752087074feed

  • SHA512

    9ebd580fc68b94cfb6f457601c3323ea249285cc84d91fb52d82b785c27b0c48e64b39d41f00180172a53629f203ae7f12d6d572d98901160c49d3d5d99e85b8

  • SSDEEP

    12288:rlSt6oIHNOhU5O5TYo4XqTig5GSR9CClDDL:rlSt69HNx6T/5xT

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 10 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:332
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
      PID:856
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1216
        • C:\Users\Admin\AppData\Local\Temp\8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe"
          2⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3020
          • C:\Users\Admin\iBdqphzke5.exe
            C:\Users\Admin\iBdqphzke5.exe
            3⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2564
            • C:\Users\Admin\raegik.exe
              "C:\Users\Admin\raegik.exe"
              4⤵
              • Modifies visiblity of hidden/system files in Explorer
              • Executes dropped EXE
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:2204
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c tasklist&&del iBdqphzke5.exe
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2832
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                5⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2876
          • C:\Users\Admin\astat.exe
            C:\Users\Admin\astat.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2980
            • C:\Users\Admin\astat.exe
              "C:\Users\Admin\astat.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2104
          • C:\Users\Admin\dstat.exe
            C:\Users\Admin\dstat.exe
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2644
          • C:\Users\Admin\fstat.exe
            C:\Users\Admin\fstat.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:484
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:2228
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c tasklist&&del 8daa8d5d9ee0fbf93fdf60435d60d0d3_JaffaCakes118.exe
            3⤵
            • Deletes itself
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1408
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2920

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\astat.exe
        Filesize

        60KB

        MD5

        87c6498966e3f85fac743c89050aa312

        SHA1

        05c165c34cbfa14e4925c33ace81992b0f50a2b5

        SHA256

        30c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5

        SHA512

        740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420

        Download Submit

      • C:\Users\Admin\dstat.exe
        Filesize

        36KB

        MD5

        b6da847084e39e0cecf175c32c91b4bb

        SHA1

        fbfd9494fabed5220cdf01866ff088fe7adc535b

        SHA256

        065781e8a55cf59cb926d5950e0039e19b50b1e081023404fbff4d7a32fc9cbe

        SHA512

        59d372ea36904cd48c99f2f34740c22004b35c5e5dada2417813b0463292af19e4aa5ba4552cc443da373e40ba03a1f7906019a567806806f5972c202a31d9d2

        Download Submit

      • C:\Windows\system32\consrv.dll
        Filesize

        53KB

        MD5

        4d7cde615a0f534bd5e359951829554b

        SHA1

        c885d00d9000f2a5dbc78f6193a052b36f4fe968

        SHA256

        414fdf9bdcae5136c1295d6d24740c50a484acd81f1f7d0fb5d5c138607cb80a

        SHA512

        33d632f9fbb694440a1ca568c90518784278efd1dc9ee2b57028149d56ebe1f7346d5b59dcfafee2eeaa10091dda05f48958e909d6bfc891e037ae1cfbd048d4

        Download Submit

      • \??\globalroot\systemroot\assembly\temp\@
        Filesize

        2KB

        MD5

        4c7ba3b0cd39116197e27064c6be2f43

        SHA1

        0d282605329b5ca257ee6385b7099d7da6797571

        SHA256

        e2f10148b6f7a81fc386c44c97fba9afcf69bcd290f4767045979eea3f05abff

        SHA512

        9ea2ccf083d44041c6afbdb6d8f76443b07fbf88a62468914200506a224ff8663368611c916b5442725dfb20a4a0949bd43efef650f95c64a06e438142550371

        Download Submit

      • \Users\Admin\fstat.exe
        Filesize

        271KB

        MD5

        34353cf7e1d1b10bcbbcae0745110535

        SHA1

        2fb471681daac6f6d66477b7772025da4f58c508

        SHA256

        b2d7a66e2d10d8943e48d6f3ad75237ff379e82ab0101a620406c4569be1d959

        SHA512

        7404f82abfabd21d6f2a88b55f6f0ff886bb0a1f16a9d45c6883d74daa26451f862a10a78646c549c3a3264ba4bd9fb44949d470493af895973dd05a0ec311e6

        Download Submit

      • \Users\Admin\iBdqphzke5.exe
        Filesize

        244KB

        MD5

        a4cdb62cf4866a17e742e7e9cc73d237

        SHA1

        30d94f8e872455ac569949ac4c768d0a0cdfbba7

        SHA256

        c741d649bf5b72fbe97470820ce994ce29b153baae14af10c3a2a9adc3098b32

        SHA512

        c4447f95565d3e5dc0ef7712382325280bedf127ac682f85f4043b586afb4188633f2c73277595eb31fe45d992107492f42c82a71f448286a9cb8fac4bfb3671

        Download Submit

      • \Users\Admin\raegik.exe
        Filesize

        244KB

        MD5

        85dd5a0a0cb20e82443b1ddd1acfafcb

        SHA1

        db7da279a14c021213b4c3abb06a1e23180d7e9e

        SHA256

        256d4782f837b6d9842f465ee31aff087b263abf0c5a3d612d76c69721c13692

        SHA512

        409e8c887d61163b1ac98f20856ca6d494bd75bdab04f08676a40f86b1b990008ac8aebb995cb98c9584933bc950861f14eb34d4ad8d43da3c0a863445572027

        Download Submit

      • memory/332-118-0x0000000000E70000-0x0000000000E82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/332-107-0x0000000000E70000-0x0000000000E82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/484-82-0x00000000029E0000-0x0000000002A1D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/484-92-0x00000000029E0000-0x0000000002A1D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/484-111-0x0000000000400000-0x0000000000446000-memory.dmp

        Filesize

        280KB

        Download

      • memory/484-91-0x00000000029E0000-0x0000000002A1D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/484-90-0x00000000029E0000-0x0000000002A1D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/484-88-0x00000000029E0000-0x0000000002A1D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/484-85-0x00000000029E0000-0x0000000002A1D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/484-89-0x00000000029E0000-0x0000000002A1D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/856-129-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/856-120-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/856-124-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/856-128-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1216-101-0x0000000002590000-0x0000000002596000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1216-97-0x0000000002590000-0x0000000002596000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1216-93-0x0000000002590000-0x0000000002596000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2104-39-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2104-41-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2104-50-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2104-43-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2104-49-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2104-51-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2104-52-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2104-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2564-28-0x0000000003AE0000-0x000000000459A000-memory.dmp

        Filesize

        10.7MB

        Download