Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

a648da1b92...18.exe

windows7-x64

10

a648da1b92...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    18/08/2024, 09:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe

  • Size

    138KB

  • MD5

    a648da1b92d2e19564da7141abd6a568

  • SHA1

    76c8d878b4e6b5fadaea382a2eb910c1608fd1de

  • SHA256

    c7d5ccb45fb3d0fa4b91ae0123c3443975769176aa15ccc24def13d6dd8e812d

  • SHA512

    eb0ae9f673356ddf4dd692cfe9ff037a4614d83f5d132f766fd4a0750b548d7b3ba92cf38a1c73f4d150f2387cf20d5dc5e063ae6d1cbab553eb0e96174e61db

  • SSDEEP

    1536:icZdCROWxp1sYEPKJ8q5LLF6n1DDE+IwL2cPj7qEYa9YzeGwf1dP0unZnouy8:iwCcWxp1R5hLsDE+52UqER+gTdJout

Score
10/10
discoveryevasionexecutionpersistenceupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2776
    • C:\Windows\SysWOW64\sc.exe
      sc config wscsvc start= DISABLED
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2192
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2724
    • C:\Windows\SysWOW64\sc.exe
      sc config SharedAccess start= DISABLED
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2992
    • C:\Users\Admin\AppData\Local\Temp\11np.exe
      C:\Users\Admin\AppData\Local\Temp\11np.exe
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Security Center"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:288
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Security Center"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1352
      • C:\Windows\SysWOW64\sc.exe
        sc config wscsvc start= DISABLED
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:1988
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1580
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:708
      • C:\Windows\SysWOW64\sc.exe
        sc config SharedAccess start= DISABLED
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2444
      • C:\Users\Admin\AppData\Local\Temp\11np.exe
        C:\Users\Admin\AppData\Local\Temp\11np.exe -dB9AA7D97FB3C4D9266979FB8581C33C006D91077594275A3A7C230B32DF69FC47D06F7DF3D5381F2E288E6815468CAEF9B993E81036DD8FC5D69710244F7CF6C8F02D6615D90E9005267A02907CD0D08BFBB1154D0AEA25E6FC7EB83BE5DA5D9411728233517F9525784EA8F1AD2FFAB62A9B596397F67202013DCE3E49146FE2227398CDDEB68BCD3E2217476A3E763B6469786F7F4FCBDEF73C0A5409F16C1055097EDB0D62930E686E2B245F449D32C4565A5042577B19E9F55DA9BDBBB61FA950F0A4513728EF1710A80EE7EEAA974DC0B5997AC2CBD2ECB981AFD4F19C6529DAE5575C0B9089678B6221BDDCFF07F3EB6AA2BA8B100E04DC551AF5556019D42C16F5BCEB103B5494478B5F83DE98028D3E97865D9443475590D3B80D7FEAEFED43C4E74507E704D4F23E5F9BA56E62D10A57807BC99EDDF127869D4403795D9B5E5E841CA762621B5C013F3091C624E592662A3ACB30ABBED75436377DBA4297147012B964C7A8793F4EA1831A6E60CDB95B1D34030CD9C264D11B8A17C6A4D558DB3D968974D10461352A676C7A3B803011DE24D22B7763AAF5D85223BB929EE56
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2424
        • C:\Windows\SysWOW64\net.exe
          net.exe stop "Security Center"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1348
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Security Center"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:580
        • C:\Windows\SysWOW64\sc.exe
          sc config wscsvc start= DISABLED
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2136
        • C:\Windows\SysWOW64\net.exe
          net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1960
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:764
        • C:\Windows\SysWOW64\sc.exe
          sc config SharedAccess start= DISABLED
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2008
      • C:\Users\Admin\AppData\Local\Temp\11np.exe
        C:\Users\Admin\AppData\Local\Temp\11np.exe -dDCCF49A373B4D30C8C7D8CABFCB8897AB6696007BFA4BD6BE287C7440BD094CF6F143018E48A12611C76EC8BA5993316CDCFE15EE98737138CB882F1AC1F3D9ECF42FE49AE6313FAF9CCB83118D24D482327F8AB62ED949C1BB9E087749841C9ADC9A1BE0C212AB522EDEEBB5F8CBCE707C7B196034B4B082F1EFEBE0C8FA510FBF345F37536ED25D9EECB98C213A7360BE75B59E4E80F5FAA30385B5DB2AF7AEAB6572EA5FA302A9FC8CB82CB6471D0016A813E5F7CD613ACA22DBD90A2E239EA97848D92D909E03558AC3542C3BFEDF848F1B20D4FD5579643B9370EB905ECAD63BA4476B3CC629C606AF831F97736437BB791C7B5814409B3F97280761C4924FF2599CB470EBF14EE4379E0ADBE7971D92264A5878F17E7A14A18CE666C477F3332DA4973A48A201DB3CCD9C4F90E5599BD76006EF3DB50134923239E7A0D2F638EDEE940A4187F78780DE404CCD9FFD3562973B2E4FBA617D24AE7C70CA0E76A2711E4CE63B933CE8EE90AF81D8AC02AF9B7D5B7D5A589D8046FC26B25F895B229F1B4DE758A7D20336A956910A5280CF5C640007DFBDA143B669F810C1E6DFE
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1480
        • C:\Windows\SysWOW64\net.exe
          net.exe stop "Security Center"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1848
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Security Center"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2948
        • C:\Windows\SysWOW64\sc.exe
          sc config wscsvc start= DISABLED
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:1436
        • C:\Windows\SysWOW64\net.exe
          net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1968
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2872
        • C:\Windows\SysWOW64\sc.exe
          sc config SharedAccess start= DISABLED
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:1572
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\phvpisznn.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2420

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\11np.exe
    Filesize

    138KB

    MD5

    a648da1b92d2e19564da7141abd6a568

    SHA1

    76c8d878b4e6b5fadaea382a2eb910c1608fd1de

    SHA256

    c7d5ccb45fb3d0fa4b91ae0123c3443975769176aa15ccc24def13d6dd8e812d

    SHA512

    eb0ae9f673356ddf4dd692cfe9ff037a4614d83f5d132f766fd4a0750b548d7b3ba92cf38a1c73f4d150f2387cf20d5dc5e063ae6d1cbab553eb0e96174e61db

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\phvpisznn.bat
    Filesize

    218B

    MD5

    86ba9e547c57d50e4c076e5717356bf0

    SHA1

    17125a5c4245f7df57b1291af35817bc36c7fbd9

    SHA256

    3b5c05a442fce80fff11f7c05bbaece2ae053393a8390f5f7477a25a8cdc0e72

    SHA512

    8a6352e9f27269d07a06a74ce1edde0dc6ef346f55c8ae1c02fb356bf48ff13549b7841e40c4b8dddff1208ef4661107b915a198d654b4ab57d3915adac6d4f9

    Download Submit

  • memory/1480-47-0x0000000003360000-0x00000000043C2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1480-48-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1480-49-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2268-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2268-14-0x0000000004830000-0x000000000485B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2268-25-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2268-5-0x0000000003B90000-0x0000000003D79000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2268-15-0x0000000004830000-0x000000000485B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2268-3-0x0000000003A10000-0x0000000003B85000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2424-34-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2424-35-0x00000000034B0000-0x0000000004512000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2424-37-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2424-38-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-27-0x0000000003600000-0x0000000004662000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2924-43-0x0000000002580000-0x00000000025AB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-36-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-30-0x0000000002820000-0x000000000284B000-memory.dmp

    Filesize

    172KB

    Download