Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

b63bf326cb...18.exe

windows7-x64

10

b63bf326cb...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/08/2024, 03:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe

  • Size

    216KB

  • MD5

    b63bf326cb8776d28e91539dac2c1265

  • SHA1

    2c165a747e2af1e0c760aefa15454ab6c8f12da8

  • SHA256

    ad40467c37cef7463a5b7c9d3948170b8ae2324e55d6d73e8e6b859228286b37

  • SHA512

    290c4f068b06cc58755f9cdc87f1e42b72045021db0ae258bbcaad5c14f077248aff6342ec46bb749f8d322dc94f889082baff77d7532c6079053cc022957459

  • SSDEEP

    3072:jSB5qSR3bSUm4R8WSXB0bXjuz31HWHUtesybqm:jSeUm/WSXAseHbq

Score
10/10
bootkitdiscoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 8 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4208
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\System32\ssshile.dll
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2584
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32 msn6561.dll , InstallMyDll
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1760
    • C:\Windows\SysWOW64\Dofake.exe
      C:\Windows\System32\Dofake.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3032
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 375519961O57540.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\375519961O57540.bat
    Filesize

    2KB

    MD5

    e024defdc3d4878a172df36071b1b928

    SHA1

    59697a7358c0449376b3fb763633edb890faeb4f

    SHA256

    88dee481c1410546996e93133fc605cce3c8109b0e6ad77e1004d0949de23056

    SHA512

    63e3ca4b870fa137e742002a67676ea63f675caa3c596dfe60a6db1e9d8e96431006e462073b105d325f389bccbf6ce17234dfcedc6d615eca3d3836b64713bd

    Download Submit

  • C:\Windows\SysWOW64\Dofake.exe
    Filesize

    96KB

    MD5

    a6added823aee4871efe1a4ca8f47a09

    SHA1

    b39cc6522719748ca0481536e2f1e6405e95567f

    SHA256

    50b5ddd1e166865865e26fc960faa4e347734c39e632efed1d713d96b93d010b

    SHA512

    d6e0d9c968059ec9553bcf76d109be7ae373087701cc907a5c260f90d9a4071e64d9f0fa5abecc8fbadb8b7823cf18496fc92c32bf348483b614912296a2da8d

    Download Submit

  • C:\Windows\SysWOW64\Web.ini
    Filesize

    2KB

    MD5

    3b9123e58c22dfba46bb70e839cf5b53

    SHA1

    eff940aaf0a6c435a542b87b2ed825e6d4db739c

    SHA256

    b8d65ec76ff9eff9dfdec033a126a728b6dce4ac50d2cfab289da1da07d181cd

    SHA512

    a7ae5f421bb427286557dfcd5f47f3cc3ff9fd20bb674a6f1da74dfdf5295a620dceff6858ddb5ae4adfc2eee5776d82c90f7ddbdb859ba3ba2e0d70c3fe74a7

    Download Submit

  • C:\Windows\SysWOW64\msn6561.dll
    Filesize

    34KB

    MD5

    2850424792c45d045064fd20caee9154

    SHA1

    07575ab6e60ec261d724dad00a952fd376c66a43

    SHA256

    f04bba4986055df9fadba6356fa4b49cfb08647c46e4d9d67ee4d87ab826758d

    SHA512

    fae07fc61102eb98d2add60df6a8a2c92dbe5b5b80b1de91e009d1271f07937d95f31d7f05b04a36d2cedf501215c4536d33b3c7f6afc81eb738322a7c96664f

    Download Submit

  • C:\Windows\SysWOW64\ssshile.dll
    Filesize

    56KB

    MD5

    d56187f40d666692aafe6573d57eed4f

    SHA1

    bbc4d3c09668e521408b71bb1a6ea4eaa6a5bb79

    SHA256

    f8309a95f297d4818e3f8b957f144fe95425f8b467db324f12c19a6fb7b9b436

    SHA512

    2163d8dbf29a3a4add720b020d4531078b18f09a33f44c7a9ba0a93f46ccd7a79788e7974ec1fcba2fe9b71686cea8b311a0bd848874c5b416863608b5ce1422

    Download Submit

  • memory/1760-136-0x0000000010000000-0x0000000010028000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1760-9-0x0000000010000000-0x0000000010028000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1760-7-0x0000000010000000-0x0000000010028000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1760-131-0x0000000010000000-0x0000000010028000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1760-135-0x0000000010000000-0x0000000010028000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1760-137-0x0000000010000000-0x0000000010028000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1760-138-0x0000000010000000-0x0000000010028000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1760-139-0x0000000010000000-0x0000000010028000-memory.dmp

    Filesize

    160KB

    Download

  • memory/4208-18-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/4208-8-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/4208-0-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download