Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

b46f739508...18.exe

windows7-x64

7

b46f739508...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 17:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b46f73950863d53d279ad0a731f5888a_JaffaCakes118.exe

  • Size

    826KB

  • MD5

    b46f73950863d53d279ad0a731f5888a

  • SHA1

    31c9f36e7ea800c216752595945901caeacdb619

  • SHA256

    19f1011f9dc9972a3ae122b0bf2e8e3df26b8721ece4b9afa1b50caf1bb81099

  • SHA512

    08266d1646e2e4895027357e40281867154eca49eea8ff63affad28f876929fc1878a5db37a73756cf2a99ca683b0b31858eee1a6a436a15cd88017f5266dd46

  • SSDEEP

    12288:4q+/TXNFm3lChFvkoQp2TyETQpTomJaMjcGMcRLa+NkxAAM/Xq2R83IjtRyLOcVn:4qm/HTQYiPaMjc7zxAjPRdj0LgLbV2

Score
8/10
bootkitdiscoverypersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 31 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\b46f73950863d53d279ad0a731f5888a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b46f73950863d53d279ad0a731f5888a_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:3604
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1560
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3476
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1004
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4076
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1444
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3280
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3996
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1592
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3860
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
    Filesize

    471B

    MD5

    69110a181e6196eab88822a1d7c54fad

    SHA1

    5200454f3298d903a8dcb531c188a2b12f963239

    SHA256

    a1acefdaa4f3826d48b629b9b15f8e39edca9d23d96271745679a464d38b1646

    SHA512

    11ca8a5dc520628849db5702fa9936cdf001cf62da467b737350ed70ce1f70cdd1b8e81367d2687944711ea0b956fbd5051bca9926112024581ddeaf45250e33

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
    Filesize

    420B

    MD5

    194d9c0d785e9d269dd1dce8e0af0a5b

    SHA1

    ffe47e649688708b4960b9ff1deb0b99a31250f9

    SHA256

    10b028f7ab84b8860e80bddfb9b5e4b2736c13eaec1690d6ad8497f3a7b043f1

    SHA512

    aa27ecc821cbe947e6aa16aa3d8ce0a5985e7fe1173ccbc2b5a4e8c43398c5fe580a3362a7c60b36fcfd5fcd577b112bc58d6948b5959382ecc3019c0b74a970

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
    Filesize

    1022B

    MD5

    7b4f7b01464298f2193535b42f562e2d

    SHA1

    03cf592478bbd33d26b258ba1d6252c46d7f4124

    SHA256

    c49131bfa666b79eade2d269955d4413c8f6963a2e5bacbe2d529b097a7aa480

    SHA512

    39518f323fca704a4f425d3dd749c7938de3119d0d8a851300d676fb92c50558ff265a42b9fe8bf4f805df5dfd8663075bfe417c8aace64953015cfa779fa0f5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{AD736460-61BB-4E21-977B-6E0F156EB7FC}.png
    Filesize

    6KB

    MD5

    099ba37f81c044f6b2609537fdb7d872

    SHA1

    470ef859afbce52c017874d77c1695b7b0f9cb87

    SHA256

    8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

    SHA512

    837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

    Download Submit

  • memory/1004-14-0x0000000002F10000-0x0000000002F11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3044-35-0x0000000004410000-0x0000000004411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3604-24-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-44-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-15-0x0000000000DC0000-0x0000000000EC0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3604-7-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-17-0x00000000009EB000-0x00000000009EC000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3604-18-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-6-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-5-0x00000000009EB000-0x00000000009EC000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3604-0-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-4-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-37-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-8-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-2-0x0000000000DC0000-0x0000000000EC0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3604-51-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-52-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-53-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-54-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-59-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-60-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-61-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-64-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-65-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-66-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-67-0x0000000000400000-0x0000000000A29000-memory.dmp

    Filesize

    6.2MB

    Download