Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

a308028fe9...18.exe

windows7-x64

10

a308028fe9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2024, 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a308028fe9c823d9bb024211413f129d_JaffaCakes118.exe

  • Size

    7.9MB

  • MD5

    a308028fe9c823d9bb024211413f129d

  • SHA1

    98c5d905b522e75720615bfc15cebe5e464ee6a3

  • SHA256

    2ea7eb4a63ec451f3683a5450a7e93ca96a60917a83e0ed081b2ee06095b9916

  • SHA512

    abfe7087b68e51bcc569e44850f5633c8d0125f39a7d171e2b6d9d58d5c0c156ac53e724ba403abe0dc5d3af63cb9f48e05a966f4e0b2d72575cea3d64d12e95

  • SSDEEP

    196608:i7effIPEsy58doQaTxLhQyZbIly38doQalArdfehQM2gsyVCQlXI1G8do8a888Fh:i7effIPEsy58doQaTxLhQyZbIly38do6

Score
10/10
adwarediscoverypersistencestealerupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Drops file in Drivers directory 4 IoCs
  • Sets service image path in registry 2 TTPs 3 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 6 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 3 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a308028fe9c823d9bb024211413f129d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a308028fe9c823d9bb024211413f129d_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3680
    • C:\Users\Admin\AppData\Local\Temp\a308028fe9c823d9bb024211413f129d_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\a308028fe9c823d9bb024211413f129d_JaffaCakes118.exe
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4020
      • C:\Users\Admin\AppData\Local\Temp\a308028fe9c823d9bb024211413f129d_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\a308028fe9c823d9bb024211413f129d_JaffaCakes118.exe
        3⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3588
        • C:\Users\Admin\AppData\Local\Temp\a308028fe9c823d9bb024211413f129d_JaffaCakes118.exe
          C:\Users\Admin\AppData\Local\Temp\a308028fe9c823d9bb024211413f129d_JaffaCakes118.exe
          4⤵
          • Drops file in Drivers directory
          • Sets service image path in registry
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1360
      • C:\Users\Admin\AppData\Local\Temp\a308028fe9c823d9bb024211413f129d_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\a308028fe9c823d9bb024211413f129d_JaffaCakes118.exe
        3⤵
        • Enumerates connected drives
        PID:4864
    • C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
      2⤵
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      PID:1668
    • C:\Users\Admin\AppData\Local\Temp\a308028fe9c823d9bb024211413f129d_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\a308028fe9c823d9bb024211413f129d_JaffaCakes118.exe
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Loads dropped DLL
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4604
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 1832
      2⤵
      • Program crash
      PID:2308
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3680 -ip 3680
    1⤵
      PID:3444

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
      Filesize

      1KB

      MD5

      7fb5fa1534dcf77f2125b2403b30a0ee

      SHA1

      365d96812a69ac0a4611ea4b70a3f306576cc3ea

      SHA256

      33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

      SHA512

      a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
      Filesize

      436B

      MD5

      971c514f84bba0785f80aa1c23edfd79

      SHA1

      732acea710a87530c6b08ecdf32a110d254a54c8

      SHA256

      f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

      SHA512

      43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
      Filesize

      174B

      MD5

      bc08458972b7a105b10493bb1b5c0912

      SHA1

      77db744abd2db9d4ffca53c5f29585f47f3f1bba

      SHA256

      dc14cd2c87b8ca4a3190d173fb422920e76251589f5dc536f3309b8eab228391

      SHA512

      876f909e158ad86448b93f8a694a75085059549456c6332325a80f105b4bb2315f28cb870a1e8f3f8d455ee5cba89a6da66389b971246fc944e60b2ae598f6a0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
      Filesize

      170B

      MD5

      43b47e621307a35c5e50701da911b328

      SHA1

      8afddb9e8ba3ec4955a5c1aec39a57731368b132

      SHA256

      418e152626c9ddb8fc4bcd65c31dcb7a5236b1c49593bb6ab26ce6e66bc96643

      SHA512

      d9d4a62fa968a539e613ea6dc5d66bde82e1ea77937b0cc0dca959a931e35f43f2f39b4ec6b0654ed7b2abe2f6820a47af7ba33a93e98adf90ad621c92069481

      Download Submit

    • C:\Users\Admin\Local Settings\Application Data\cftmon.exe
      Filesize

      7.9MB

      MD5

      0aec8db6ad3ae554e62b2a73b172521d

      SHA1

      0fdec429ae8768a2226c3099953e629e8a29adcb

      SHA256

      52347572f3f8b8282d8ef18a89419a644ff068de5bd024c699a0310cc56d483a

      SHA512

      96275afc56262e12f834c70fc86ff1961febf8cae57b80b5e52343e2495a6b207659f87e1b0b4c90c9fb0cafc9663f31aefd5dd3fe89d1d69927650764563869

      Download Submit

    • C:\Windows\SysWOW64\drivers\spools.exe
      Filesize

      7.9MB

      MD5

      ed33d9928784abaf5baf6bc992cf4c49

      SHA1

      49218e80a75c982140d8b56244b1389625ad18b6

      SHA256

      1a14b83327fd1c9edac67b665c8c829ba55ad234975169fabfff69f69b727730

      SHA512

      d9e3639e48d73f11b71118bd86609a2344c83c33908f8fb88aa780405abe35fe74e9241fe242591294bb3db2d39f430ca72ce31fb93266985795ab0a1702fe1c

      Download Submit

    • C:\Windows\SysWOW64\ftpdll.dll
      Filesize

      5KB

      MD5

      d807aa04480d1d149f7a4cac22984188

      SHA1

      ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

      SHA256

      eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

      SHA512

      875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

      Download Submit

    • memory/1360-45-0x0000000010000000-0x000000001010B000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1360-44-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1360-43-0x0000000010000000-0x000000001010B000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3588-34-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/3680-0-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/3680-17-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/3680-16-0x0000000010000000-0x000000001010B000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3680-12-0x0000000010000000-0x000000001010B000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4020-33-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4604-32-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4604-31-0x0000000010000000-0x000000001010B000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4864-46-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download