Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
30904efe9f6...18.exe
windows7-x64
70904efe9f6...18.exe
windows10-2004-x64
7$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$TEMP/netddee.exe
windows7-x64
7$TEMP/netddee.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$SYSDIR/$S...1_.exe
windows7-x64
7$SYSDIR/$S...1_.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$SYSDIR/$_5_.dll
windows7-x64
6$SYSDIR/$_5_.dll
windows10-2004-x64
6$TEMP/setup.exe
windows7-x64
7$TEMP/setup.exe
windows10-2004-x64
7$PLUGINSDI...ol.dll
windows7-x64
3$PLUGINSDI...ol.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 05:03
Static task
static1
Behavioral task
behavioral1
Sample
0904efe9f63a556f1ea8695cdabadb96_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0904efe9f63a556f1ea8695cdabadb96_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$TEMP/netddee.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$TEMP/netddee.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$SYSDIR/$SYSDIR/$_1_.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$SYSDIR/$SYSDIR/$_1_.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
$SYSDIR/$_5_.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
$SYSDIR/$_5_.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
$TEMP/setup.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
$TEMP/setup.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/AccessControl.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/AccessControl.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/DcryptDll.dll
Resource
win7-20240704-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/DcryptDll.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240910-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240704-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240802-en
General
-
Target
$SYSDIR/$SYSDIR/$_1_.exe
-
Size
53KB
-
MD5
874577528befed676900d88050fcc4ab
-
SHA1
418618ad890702b307734b25df7f78fa43fb3a60
-
SHA256
5596504f8ec18128105418f6ec2490a242ed6732eae435b7514d4ad073dbcc42
-
SHA512
fb0e113abc158d8dfd1aa5af907598694ed92d940ffc257e6484796e8dc6c4c12b14d28193cdceaf173a5360b7a117ee572ad58465e1baf9dd5f66e1d56d8e22
-
SSDEEP
768:KHJd0TpH2+bQ2dUWVX9Hfv1JMWmtLEJOyuBxG0D3mjfS3XJVJRn35qlXF3pm0Efd:KpgpHzb9dZVX9fHMvG0D3XJt5q9VSf2k
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2668 Au_.exe -
Loads dropped DLL 3 IoCs
pid Process 1596 $_1_.exe 2668 Au_.exe 2668 Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Au_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language $_1_.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral9/files/0x0006000000019639-2.dat nsis_installer_1 behavioral9/files/0x0006000000019639-2.dat nsis_installer_2 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1596 wrote to memory of 2668 1596 $_1_.exe 30 PID 1596 wrote to memory of 2668 1596 $_1_.exe 30 PID 1596 wrote to memory of 2668 1596 $_1_.exe 30 PID 1596 wrote to memory of 2668 1596 $_1_.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\$_1_.exe"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\$_1_.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2668
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
509B
MD5c8fe61aa4bc5c05f7fe4b3bf73f01b3b
SHA17fe194edc585595bcdd153a46e90bfdb82c6e007
SHA25631434ee48571c94e61fbf48e629056004043b184e1f38b80f83b5cc3bbc77852
SHA512b555948657e992b943602a03d666abcbe8e1c8b5574ed5758f9536dbf5981db247a3a492047249612ade06df6b7ed3959949dfaea38d75fef11b71bbcd14b374
-
Filesize
530B
MD50f3c046f3112bf7a07f2550210489e44
SHA16e1e508fac682f79431e3e5fea2a5ca203b1adcf
SHA256d3eab0a2e9c4874f8511710178784ae2a7f109971ba27997074d5480050fe7be
SHA5121f5c4b674182a0c77580f38c9c8eeb2e92c201001657097a686bb1ef1b6451f77f634aa86cb7bbdd60de34158ea67da21428e230762b0f97b493df02ae24f300
-
Filesize
14KB
MD5325b008aec81e5aaa57096f05d4212b5
SHA127a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA51218362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
53KB
MD5874577528befed676900d88050fcc4ab
SHA1418618ad890702b307734b25df7f78fa43fb3a60
SHA2565596504f8ec18128105418f6ec2490a242ed6732eae435b7514d4ad073dbcc42
SHA512fb0e113abc158d8dfd1aa5af907598694ed92d940ffc257e6484796e8dc6c4c12b14d28193cdceaf173a5360b7a117ee572ad58465e1baf9dd5f66e1d56d8e22