Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3fddb8b56a0...18.exe
windows7-x64
7fddb8b56a0...18.exe
windows10-2004-x64
7$0/resultbar.dll
windows7-x64
1$0/resultbar.dll
windows10-2004-x64
1$0/resultbar.exe
windows7-x64
1$0/resultbar.exe
windows10-2004-x64
3$0/uninstall.exe
windows7-x64
7$0/uninstall.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/09/2024, 05:10
Static task
static1
Behavioral task
behavioral1
Sample
fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$0/resultbar.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$0/resultbar.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$0/resultbar.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$0/resultbar.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$0/uninstall.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$0/uninstall.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
General
-
Target
$0/uninstall.exe
-
Size
82KB
-
MD5
c78dc19bab9bcb490d031ccca4bdf853
-
SHA1
f40960a41ff93fdcad2793f36fb5437db93b120c
-
SHA256
a743fab26fad94ba571933471af4685660a80c73ef4a86ea276aebcc197b2600
-
SHA512
da9f21b7eb01b3350614ee912f98389e209e0ce0afed08fdd13bea153f28510a2aeb468c10bf3317e0fe2716af9d67702996a8cbf18eb3ce1435be68c722abca
-
SSDEEP
1536:jEkjY1zy214Qay0DGkJ7qAELVigJxf7DcptJgNfKeQ2/DRkAi:AkjAJ4dDGkJ+AI0JXJGKeH/u
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2736 Au_.exe -
Loads dropped DLL 3 IoCs
pid Process 2316 uninstall.exe 2736 Au_.exe 2736 Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uninstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Au_.exe -
NSIS installer 1 IoCs
resource yara_rule behavioral7/files/0x0007000000015e4f-2.dat nsis_installer_1 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2736 Au_.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2736 2316 uninstall.exe 30 PID 2316 wrote to memory of 2736 2316 uninstall.exe 30 PID 2316 wrote to memory of 2736 2316 uninstall.exe 30 PID 2316 wrote to memory of 2736 2316 uninstall.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\$0\uninstall.exe"C:\Users\Admin\AppData\Local\Temp\$0\uninstall.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$0\2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
610B
MD514c575dce4cd7987199d385bc93eae0d
SHA1280e4c6df5f52eed86fbd604e8e9b5339e62fa58
SHA25653857dc450dbfb21819f3d3d89894b7b686721716d1664ac0b814913d8f42847
SHA512c7b90837f5f494d4cfa7a02bb3eda872366f9a6021801b919717de274b2379d1f0283c71dd000732faa3aa84ada31a816ca4d6cb3b08687bb1a10ed82efcaf05
-
Filesize
623B
MD5dfb0bcd8f8414180615c3177ecaed4bc
SHA1752ca8080bd370df9bebb5ea661ce1dad820b994
SHA256113e9a8226b3dd66d37cfecab20a8978ff7a923ef5cfbae8ff980c37544d03e2
SHA512ea77ba9d6138e4c4fec32e85fdbe5d22d91c901ea8739b6a8d3cc36b0117d4092f19eab94bc8e67815e63159b505ea90ab85d77d1a5f50ec3e7cdf018714539c
-
Filesize
13KB
MD5d765c492c21689e3d9d61634371fd861
SHA1ac200933671ae52c9d5544d0e2e8e9144d286c83
SHA256551e6042dd494ea01549555ffc194ab9729da09058ec714eb368dd06642c9bbc
SHA5129919a9e848c8f1e26c75d0d29207571e4b86a4140bd554743d2c1f8bd7f386fe4919345b163d89a5d907fb165e435ba0ac5f6b1101713636141f156a420e2e0f
-
Filesize
10KB
MD5fe24766ba314f620d57d0cf7339103c0
SHA18641545f03f03ff07485d6ec4d7b41cbb898c269
SHA256802ef71440f662f456bed6283a5ff78066af016897fe6bfd29cac6edc2967bbd
SHA51260d36959895cebf29c4e7713e6d414980139c7aa4ed1c8c96fefb672c1263af0ce909fb409534355895649c0e8056635112efb0da2ba05694446aec2ca77e2e3
-
Filesize
82KB
MD5c78dc19bab9bcb490d031ccca4bdf853
SHA1f40960a41ff93fdcad2793f36fb5437db93b120c
SHA256a743fab26fad94ba571933471af4685660a80c73ef4a86ea276aebcc197b2600
SHA512da9f21b7eb01b3350614ee912f98389e209e0ce0afed08fdd13bea153f28510a2aeb468c10bf3317e0fe2716af9d67702996a8cbf18eb3ce1435be68c722abca