Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d01b807594...18.exe

windows7-x64

10

d01b807594...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 17:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d01b80759402a4c6f5e8b610acc0e682_JaffaCakes118.exe

  • Size

    528KB

  • MD5

    d01b80759402a4c6f5e8b610acc0e682

  • SHA1

    3bd8f379b178333540077d478051a8b9421cb436

  • SHA256

    781445a71a9a94d19b25870851af0d4e8290ed0341a72aa6978adcd1a0fce873

  • SHA512

    5c4056a3b45c90c64a23a3207b8348e6b797add9ebbb5c8dc096f153aefa9abcf70b5f249280bd17b80c422b22b5e48398ca0bab63b47c69e087d90cdab21344

  • SSDEEP

    12288:uVV7Cg6GTkT6keQZqq3Q/Kg9Ok/FUsTyAOonF:u7H+hNZLQbVTyApF

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d01b80759402a4c6f5e8b610acc0e682_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d01b80759402a4c6f5e8b610acc0e682_JaffaCakes118.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2180
    • C:\Users\Admin\AppData\Local\Temp\abc1.exe
      "C:\Users\Admin\AppData\Local\Temp\abc1.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\system32\winlogon.exe
        winlogon
        3⤵
          PID:2668
        • C:\Windows\system32\winlogon.exe
          winlogon
          3⤵
            PID:2896
        • C:\Users\Admin\AppData\Local\Temp\rundll32.eXe
          "C:\Users\Admin\AppData\Local\Temp\rundll32.eXe"
          2⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c attrib +r +s +h +i "C:\Users\Admin\AppData\Roaming\MSNMessengerAPI.dll"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2820
            • C:\Windows\system32\attrib.exe
              attrib +r +s +h +i "C:\Users\Admin\AppData\Roaming\MSNMessengerAPI.dll"
              4⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:2808
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\rundll32.eXe" "C:\Users\Admin\AppData\Roaming\rundll32.exe"
            3⤵
              PID:2484
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c attrib +r +s +h +i "C:\Users\Admin\AppData\Roaming\rundll32.exe"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2556
              • C:\Windows\system32\attrib.exe
                attrib +r +s +h +i "C:\Users\Admin\AppData\Roaming\rundll32.exe"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:2616
            • C:\Users\Admin\AppData\Roaming\rundll32.exe
              "C:\Users\Admin\AppData\Roaming\rundll32.exe" new
              3⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2968

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\abc1.exe
          Filesize

          332KB

          MD5

          99fcd0a304510e52fc20df8cd4971779

          SHA1

          706c4188ac5f2b3ec3794acc7cb527f4fb150e62

          SHA256

          665f893f3a8f6f82e795fdc619aa2a8af0333e7e12ef4bc43eca740411bbda18

          SHA512

          bf0b6828b86ff0018f485de49e23ebff0fa8ed90e1717461ec80bcf0f33a62b3b772a931902635f6093fe079e665adc5247fd46470d53a346c6ea93c0c0ac6ea

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\rundll32.eXe
          Filesize

          152KB

          MD5

          49b1dfc49432bbe9b8a311113d20efd7

          SHA1

          79c030ae82d4b3a670b6bc1745c5bcba1a826172

          SHA256

          7bede7449f9c39ed911f8aef7fb1f13af8111cd630e9509a9e75a332f689e8fd

          SHA512

          963948b6ad785537c85798906635d1a3f670c2a88af3ace5259cf8443610d782f1d65dd36aa77c88032326fe23c287b67f0efe9bebd10c6dcb2f21a853d96f3e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MSNMessengerAPI.dll
          Filesize

          56KB

          MD5

          23eb031b6159df31ac9cb64fed550e73

          SHA1

          aaa8d925d7d9f94192b9b54589b948d61fb329a6

          SHA256

          eb454b56713fdf8003be674a7da3ea63c24473f8c6f6ee274ec8db55900f2732

          SHA512

          4263ece29f6dcd886d5da436653c2bf4f9ccca99aca364635ca672234efc49ec0a6317517687d9a349fc80e7a44e89133c00d9ad82ac515328f1283595eee985

          Download Submit

        • memory/2180-0-0x000007FEF592E000-0x000007FEF592F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2180-1-0x0000000000330000-0x0000000000344000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2180-2-0x00000000006B0000-0x00000000006E6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2180-3-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2180-4-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2180-5-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2180-39-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2756-21-0x0000000000AE0000-0x0000000000B1A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/2756-20-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2896-26-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

          Download

        • memory/2896-25-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

          Download

        • memory/2896-24-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

          Download

        • memory/2896-23-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

          Download

        • memory/2896-22-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

          Download

        • memory/2896-27-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

          Download

        • memory/2896-28-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

          Download

        • memory/2968-38-0x00000000005D0000-0x00000000005E4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/3056-30-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/3056-31-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/3056-19-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/3056-40-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

          Filesize

          9.6MB

          Download