Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
09/09/2024, 10:07
General
-
Target
d61982cb8ec501a9d20cb14e9b3fc0e9_JaffaCakes118.exe
-
Size
314KB
-
MD5
d61982cb8ec501a9d20cb14e9b3fc0e9
-
SHA1
af0a6f77b520d5744a055c1f89aa68957f1014de
-
SHA256
d94cd4f80b2d5356f3c4879c1b12d279d7e7df650317b7285c72fe51e2c51e06
-
SHA512
769c45249b65cd9bd6cbd136d83bf8dd789983a20c90d41ddc5ac5ba59bf23d071818dc8ddae7ce7bb36437289f417a21666a2b3d20fdec8a12a3cf0a2d68977
-
SSDEEP
6144:Tz+92mh7MJ/cPl3itVRsHHtXJ07l70a37YiteLKSh:TK2mh7MJ/cPlAYntCl7UGSh
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 12 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\d61982cb8ec501a9d20cb14e9b3fc0e9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d61982cb8ec501a9d20cb14e9b3fc0e9_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Win\drivers\ISPR Clarification.doc" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Win\drivers\slidebar.exe"C:\Win\drivers\slidebar.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
238KB
MD513619025a126c56c3097d533414f2230
SHA10f449570cbc93aef78838ead799fae3c3b7cf93e
SHA2565deb2dab773cffc3be4ffa62d1a60a892c8fa629dba756d7ba3ad2fa20d7fce3
SHA512278599ebf194c371eec789da6a7eb0bb5ed71bc330c2ab93d30458176ba6523bc2fa7ff347c6fdf65c1ba5d9d8e74f0add5757d5441478c1e1d700ffb29fe4a1
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
357B
MD53346111b1644f276d281d25ef64ea218
SHA13f382c5b62ed5ea06e29c6bd2a946d6ec9aade73
SHA256722cee5ff75d373dfca4f559d38272f2e15649f2c7189d6291ecbf35d310867d
SHA51225793cc7f837edea3ce63efea62743c06251a2821bfa911d90db3b23276e388a457f4cf6a882b726b9988aac6f098a9abf31fcba885ceaf06bc2fa335299d235
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
2KB
MD54884b815b3d0f218bd372f9ca3867eee
SHA1d59dd3349e215956008283976511d0b09a1c4668
SHA25697f1aea14f90e15b6d311b5a753ecc6f7dab4c27c01b909081532dbbc4776a58
SHA512e1d1c15f203801b46280f573e42f7196dec4385f6653a10f5e662518273703869cffb575cd4d3bd02b1434ebc8dc31b44e9f731adfb2d18dac2050339f45966a
-
Filesize
1KB
MD5b9100c82eb402d3e54d13ece839c826e
SHA102986fd2c0ce12154d90e24463036681214aaa58
SHA2561de34d5f5739d80fc1968db729dbfb61e7c3a5e415bafef84bef1d41d11136b0
SHA512bba18730db7781e23a1da449993fd25244db7c8ced175f57bc0914c1f0fa7405edc5018d40fcc10a9b0b14a726ea3288f1aaaac6d1221ffc990c71bffac6464e
-
Filesize
109KB
MD53ff101716f3a78ac2846ff0387bc0812
SHA1362c9112a1ec9fc82ec34a9fbeb46506a24e97c3
SHA256f48dcd0ebfb91d4e126c91ea8c6f85d2d8b7aca25af66ed7233b21570d46bb84
SHA5129f1c337fb79c6ea918a304f17d9d7869c00500e1bbcc9846583727ad3f1bbf5dfa78144b6937d9663a06950843b4907baf405008c8d3c204450b4a720e0a8b00
-
Filesize
72KB
MD5734e552fe9ffd1ffdea3434c62dd2e4b
SHA107263f4cb2c12ec4cad6ecae0dfae4e45731c4da
SHA256a84fc65fef7bad1496a406bdef35ece5c0a25e9acdc2002915513f6dbb1ce20a
SHA5129a0b90412476f8c24f0834284b9e14cd170cde96c61e8774833868034a2745783870440f8632861077944bd8ffe72e2b721693507a817874ad2b9e7683cbd2d3
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
16.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB