Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

d142e94f80...18.exe

windows7-x64

7

d142e94f80...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 06:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe

  • Size

    321KB

  • MD5

    d142e94f80fd713e31e2f12d419627d8

  • SHA1

    670694de28ed2361b9f53d86ba128fe2281220d7

  • SHA256

    2b1cb463731d798783eb5786ef6eb5adcdfaaa77bc58ce090f8f5e8fac11acfe

  • SHA512

    f60624e8fe4ce9c2041fdec767341f0c7561a1976ee6458364a37cfffa01924cb54a0e2bc0233d7782ae6cab4a0464c421ad7a56bd2c0f456b15e60d56517bcd

  • SSDEEP

    6144:wiLs+Lop94KLMZ4hD2tUfBxboPRY4aLxXGf1:wiQ+o9TYFtUJB9nVGf1

Score
7/10
adwarediscoveryexecutionstealerupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Windows directory 5 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 50 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d142e94f80fd713e31e2f12d419627d8_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Windows\baidu\info2asp.exe
      C:\Windows\baidu\info2asp.exe 0ECF425C63BA9ACDBA47BEF4ED72944104DF6AFDB457BD8183FBA579EA41783397D3B712A66FD4610ED517291C47C3467ADC55E55E
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1344
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 520
        3⤵
        • Program crash
        PID:4252
    • C:\Windows\SysWOW64\wscript.exe
      wscript.exe C:\Windows\baidu\shortcut.js //B
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" /s C:\Windows\baidu\ATLcom.dll
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:1056
    • C:\Windows\baidu\iePlayer.exe
      C:\Windows\baidu\iePlayer.exe 0ECF425C63BA9ACDBA47BEF4ED72944104DF6AFDB457BD8183FBA579EA41783397D3B712A66FD4610ED517291C47C3467ADC55E55E
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1036
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 440
        3⤵
        • Program crash
        PID:2392
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 440
        3⤵
        • Program crash
        PID:2168
    • C:\Windows\baidu\Update.exe
      C:\Windows\baidu\Update.exe 0ECF425C63BA9ACDBA47BEF4ED72944104DF6AFDB457BD8183FBA579EA41783397D3B712A66FD4610ED517291C47C3467ADC55E55E
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5100
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1344 -ip 1344
    1⤵
      PID:1548
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1036 -ip 1036
      1⤵
        PID:1280
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1036 -ip 1036
        1⤵
          PID:4972

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\baidu\ATLcom.dll
          Filesize

          90KB

          MD5

          8d8afbdd1977f3c5dc12775e56b7c319

          SHA1

          44cc86024bccaa91e29936623696594befb0a025

          SHA256

          1e8febc754066269b7c5f22388f4d3b7b4a7a70d382a8ae6f5daffe35ebb014b

          SHA512

          d669ac2137daaeedc64cbb8c4817a9c02ba3d57f2db3e82ebaea6c12c7e55cb6d2db47ca488338da065af517c5a1b27ba4fd4da41805ebc219e2f4053d6693d6

          Download Submit

        • C:\Windows\baidu\Update.exe
          Filesize

          57KB

          MD5

          e4c0db0561f859b0614d2dc8119e6ef7

          SHA1

          d2749a469f5eb70dbd2247ab09393377706974bf

          SHA256

          d1e609355222a3985ff0dd2fb8989e8be74032e4a6ea2d82592525116dbfbd6b

          SHA512

          1b0e738e7436b798760c46d5422330909914e835bb6ae9611cbd6b861f8f8f4996a3c4e7c86e88448fca954920d27e310b665d80c6f0907e770a4d69de482966

          Download Submit

        • C:\Windows\baidu\iePlayer.exe
          Filesize

          64KB

          MD5

          bcd7327919f9a78aeb5ea8e62705cb6d

          SHA1

          1dcb15d024e634063ee2b05f15af59589b16ffff

          SHA256

          f846d5eb0aa0c5bb648f0167ccde1cb2e882cafbb5f2a3737b7879a9c2b07505

          SHA512

          f2b71ab5e1666882d9d8a640f81f9625ee95903278a2254697457d3cd2f4a6aaa490f77a06632d71658ffc37180b7b0a9e1dbc7ef33a2ec007f2464212af8e9b

          Download Submit

        • C:\Windows\baidu\info2asp.exe
          Filesize

          41KB

          MD5

          1000b47ffbae539166a0e996216ebb36

          SHA1

          0803068acac00e9339fc1bcc4d2dca9752045f56

          SHA256

          d1558f21145f2b285a56cd926d39c9dca03fe32657b54c6467b42e443e5217cb

          SHA512

          2e80199bf91bb3d29b21ca4d920e04f5bf212d887314326a072e62d8e8686ff8b4eb9923c6fb4ccb10d9ccd1906bda5c5018b553b480d12bc8c6bcc27a0ed5bb

          Download Submit

        • C:\Windows\baidu\shortcut.js
          Filesize

          1KB

          MD5

          c7ea49bd0568bf89f387f6c5b45163ec

          SHA1

          6d694978c5c523ff460e890c6ea2aab43d8f615e

          SHA256

          07e61ebf29c13a0ff3c17b491c2c2550baf1e9ba894b19e880cfa8b660f2bf7a

          SHA512

          efd72c2f7c587e2fb2259e1864e47f528e9239453f4233383ac9a5f6205abed42313dc0c4fde8bc0cf686f3e94f14221a910e774194232ad31f4afef44d266b9

          Download Submit

        • memory/1276-0-0x0000000000400000-0x0000000000452000-memory.dmp

          Filesize

          328KB

          Download

        • memory/1276-20-0x0000000000400000-0x0000000000452000-memory.dmp

          Filesize

          328KB

          Download