Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
70b41ae79d6...18.exe
windows7-x64
70b41ae79d6...18.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDIR/hnml.dll
windows7-x64
5$PLUGINSDIR/hnml.dll
windows10-2004-x64
5uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 15:00
Behavioral task
behavioral1
Sample
0b41ae79d6f39c034068d5b2dc2ec7a7_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
0b41ae79d6f39c034068d5b2dc2ec7a7_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/hnml.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/hnml.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
uninst.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
uninst.exe
Resource
win10v2004-20240802-en
General
-
Target
uninst.exe
-
Size
36KB
-
MD5
8420438e419d653f911f16abfd26c9ed
-
SHA1
d39750d6ceb780df4ea984d9645b2f9e94b80329
-
SHA256
77a417460ee0c8c5bc65188ea2b0fa4ca9b2d2d6c94daa0ea206ea909e7d929a
-
SHA512
c1ef2f814e7095d6c36986239441b4f0e91922ca70ddb64e857f267b84359117d6cbb426a30582e5ef0bc8e6bcd5a7787cee6200d9cfa10111b7000cd7e15a68
-
SSDEEP
768:51DVgVapclBrPlbLQPCGB4/deAC6Jn7z8Ld8tx8wxp4wFBOV1mJHbaQ8b:fDV6awBrdbLkrude7mnflp4tmJHmT
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2704 Au_.exe -
Executes dropped EXE 1 IoCs
pid Process 2704 Au_.exe -
Loads dropped DLL 4 IoCs
pid Process 2792 uninst.exe 2704 Au_.exe 2704 Au_.exe 2704 Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uninst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Au_.exe -
NSIS installer 1 IoCs
resource yara_rule behavioral7/files/0x0005000000019227-2.dat nsis_installer_1 -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2792 wrote to memory of 2704 2792 uninst.exe 30 PID 2792 wrote to memory of 2704 2792 uninst.exe 30 PID 2792 wrote to memory of 2704 2792 uninst.exe 30 PID 2792 wrote to memory of 2704 2792 uninst.exe 30 PID 2792 wrote to memory of 2704 2792 uninst.exe 30 PID 2792 wrote to memory of 2704 2792 uninst.exe 30 PID 2792 wrote to memory of 2704 2792 uninst.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\uninst.exe"C:\Users\Admin\AppData\Local\Temp\uninst.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD58420438e419d653f911f16abfd26c9ed
SHA1d39750d6ceb780df4ea984d9645b2f9e94b80329
SHA25677a417460ee0c8c5bc65188ea2b0fa4ca9b2d2d6c94daa0ea206ea909e7d929a
SHA512c1ef2f814e7095d6c36986239441b4f0e91922ca70ddb64e857f267b84359117d6cbb426a30582e5ef0bc8e6bcd5a7787cee6200d9cfa10111b7000cd7e15a68