Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

bd5493a524...18.dll

windows7-x64

8

bd5493a524...18.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/08/2024, 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd5493a5247ece47078d029d7f5cb165_JaffaCakes118.dll

  • Size

    58KB

  • MD5

    bd5493a5247ece47078d029d7f5cb165

  • SHA1

    fbf141577bfd64e2408aaa0cc90a6447d6aa4ab9

  • SHA256

    27c5c70788728be57102613cda8af09969171a4d0fbe5eef81749ef3dc557ebb

  • SHA512

    c46ac4aa31c46032a95be351c8b5238e4b5f93d50559ed80fff190f0180c6ef73fc930c8f82c37facad73e80ad91725c1321663129e8db10e85b6dd01db3628b

  • SSDEEP

    1536:H+/EkhRwFw5QrNZC0DPmrAbG2TLMk7O/JoZ/tkzGbjk6d2:gtDJQBKMLMOQoZlkSB

Score
8/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2428
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
      1⤵
        PID:2472
      • C:\Windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
          PID:2556
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
            PID:3332
            • C:\Windows\system32\rundll32.exe
              rundll32.exe C:\Users\Admin\AppData\Local\Temp\bd5493a5247ece47078d029d7f5cb165_JaffaCakes118.dll,#1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4524
              • C:\Windows\SysWOW64\rundll32.exe
                rundll32.exe C:\Users\Admin\AppData\Local\Temp\bd5493a5247ece47078d029d7f5cb165_JaffaCakes118.dll,#1
                3⤵
                • Adds Run key to start application
                • Drops file in System32 directory
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                • Enumerates system info in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:5076
                • C:\Windows\SysWOW64\RunDll32.exe
                  RunDll32 "C:\Users\Admin\AppData\Local\Temp\bd5493a5247ece47078d029d7f5cb165_JaffaCakes118.dll",Init
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:1408
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
            1⤵
              PID:3620
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              1⤵
                PID:3828
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:3928
                • C:\Windows\System32\RuntimeBroker.exe
                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                  1⤵
                    PID:3992
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:4080
                    • C:\Windows\System32\RuntimeBroker.exe
                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                      1⤵
                        PID:3648
                      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                        1⤵
                          PID:4468
                        • C:\Windows\System32\RuntimeBroker.exe
                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                          1⤵
                            PID:3312
                          • C:\Windows\system32\backgroundTaskHost.exe
                            "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
                            1⤵
                              PID:2940
                            • C:\Windows\System32\RuntimeBroker.exe
                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                              1⤵
                                PID:5072
                              • C:\Windows\System32\RuntimeBroker.exe
                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                1⤵
                                  PID:4868
                                • C:\Windows\system32\DllHost.exe
                                  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                  1⤵
                                    PID:4220
                                  • C:\Windows\system32\backgroundTaskHost.exe
                                    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                    1⤵
                                      PID:1664
                                    • C:\Windows\System32\RuntimeBroker.exe
                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                      1⤵
                                        PID:3000

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Windows\SysWOW64\Nui\logsrvup.dll
                                        Filesize

                                        58KB

                                        MD5

                                        bd5493a5247ece47078d029d7f5cb165

                                        SHA1

                                        fbf141577bfd64e2408aaa0cc90a6447d6aa4ab9

                                        SHA256

                                        27c5c70788728be57102613cda8af09969171a4d0fbe5eef81749ef3dc557ebb

                                        SHA512

                                        c46ac4aa31c46032a95be351c8b5238e4b5f93d50559ed80fff190f0180c6ef73fc930c8f82c37facad73e80ad91725c1321663129e8db10e85b6dd01db3628b

                                        Download Submit

                                      • memory/1408-10-0x0000000002D30000-0x0000000002D31000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1408-11-0x0000000002D30000-0x0000000002D31000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1408-13-0x00000000758E0000-0x0000000075903000-memory.dmp

                                        Filesize

                                        140KB

                                        Download

                                      • memory/5076-2-0x00000000758E0000-0x0000000075903000-memory.dmp

                                        Filesize

                                        140KB

                                        Download

                                      • memory/5076-1-0x00000000758E1000-0x00000000758ED000-memory.dmp

                                        Filesize

                                        48KB

                                        Download

                                      • memory/5076-0-0x00000000758E0000-0x0000000075903000-memory.dmp

                                        Filesize

                                        140KB

                                        Download

                                      • memory/5076-12-0x00000000758E0000-0x0000000075903000-memory.dmp

                                        Filesize

                                        140KB

                                        Download