Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
13/09/2024, 23:32
General
-
Target
df18462d6309efb5454fecdf3df709ce_JaffaCakes118.exe
-
Size
350KB
-
MD5
df18462d6309efb5454fecdf3df709ce
-
SHA1
1caa5c2a2bcdc6b8282c971f197ff7df78352e11
-
SHA256
2b47a07b4a577bb57598402cbb7adb06a2cfae0c6f2bb212d7c9957687fe0445
-
SHA512
8466a90e49ea0e1916e493208aeb736bfd30e53908a63a9f54bb7ffdc6430abf4fb54ca901cade1893a3c3b243465378212d4d1e17fcb7e0ed3c626d884dc6d6
-
SSDEEP
6144:hqs/AV1rl6ahtdKGFXnxdS8NnaopyJLn1KT2z99X5kdT8Z0BwG9bM6Zyj:hbS6qtEGFXxHaopwtEwWbvZyj
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\df18462d6309efb5454fecdf3df709ce_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\df18462d6309efb5454fecdf3df709ce_JaffaCakes118.exe"1⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 7443⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 464 -ip 4641⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
157KB
MD5f1168c92deffda2770b089b1c9d6bcaa
SHA18f7ab68589cdf1d18c7f1176c620edbaea8ccbca
SHA256420b3717e14fe7537d3672caa622a084532eb453e249d6d121766da6f35fd01e
SHA5127c79513a80ae68076f21402117aa0f28755f64fdb36038cc1cf7c6e4144fc5de7bea1fc277f6c48baf81d009e936c7f321be23bc80586d9afdd83edbfd778645
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c
-
Filesize
126B
MD5163e20cbccefcdd42f46e43a94173c46
SHA14c7b5048e8608e2a75799e00ecf1bbb4773279ae
SHA2567780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e
SHA512e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8
-
Filesize
157KB
MD554f8f77f8a7924e6ea46d0f2b3dec4e0
SHA12a5a57a23c7a173f626e2e92bd8e019915c1f89b
SHA25689172b287942a3c49976551dada990dda7b9c40c4d88225429c3c6a5ba2b6014
SHA5122b8cd86cc17e4b084df1af5327a2715705e8614f9f6bf25a275be7001b65abd1b13c4b4bea07d3a61f2ac5786da66fe3a6acf729649a35692d8b33ddd9d31e1f
-
Filesize
157KB
MD5241d67f1332b1bb26225e8163fe64d2a
SHA15e2e3d1c56f9e2927ad92b7e350bc9eb57fae077
SHA256c737f495cddc921ac52473130ef67400553bd80ebf8b2b91e1771a221799faf9
SHA512059dc39dee0f1583f3914ed2db5a85c2bbcd2377ffbc6634a7c34fc19827cb5f911e0f7a492e9a792d1b889c5414a1552e204f9a90279917ad22ff2435e5191a
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
16.2MB
-
Filesize
208KB
-
Filesize
16.2MB
-
Filesize
48KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
48KB