Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

113de567b6...18.exe

windows7-x64

10

113de567b6...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2024, 01:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    113de567b602ba220e0b39a41cd6e822_JaffaCakes118.exe

  • Size

    37KB

  • MD5

    113de567b602ba220e0b39a41cd6e822

  • SHA1

    0c04c9114bce6ece5ff0d024d07428a7180d11e3

  • SHA256

    704a0149a7ff05d10390fffe02a658c55b7820d5a8c81142e9d2565b71b91b4d

  • SHA512

    555e854a707bac9d8352d047b333eb2cad1be8854fc3b57e80a335ac01ae21dc80f143d2b008e428881bffda6b4653a043da4655ad467f41f4c939e1c2fbe2fb

  • SSDEEP

    768:vd2nri/EW9z07uyJt99Fc54hHm6Xl+gW7odjLyfR/dnbcuyD7U:vd0rUNv4FS4hG6VBWFdnouy8

Score
10/10
discoveryevasionexecutionpersistenceupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\113de567b602ba220e0b39a41cd6e822_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\113de567b602ba220e0b39a41cd6e822_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2524
    • C:\Windows\SysWOW64\sc.exe
      sc config wscsvc start= DISABLED
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2708
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2568
    • C:\Windows\SysWOW64\sc.exe
      sc config SharedAccess start= DISABLED
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2520
    • C:\Users\Admin\AppData\Local\Temp\vo0xz1.exe
      C:\Users\Admin\AppData\Local\Temp\vo0xz1.exe
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Security Center"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2908
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Security Center"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:844
      • C:\Windows\SysWOW64\sc.exe
        sc config wscsvc start= DISABLED
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2912
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2228
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2688
      • C:\Windows\SysWOW64\sc.exe
        sc config SharedAccess start= DISABLED
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2188
      • C:\Users\Admin\AppData\Local\Temp\vo0xz1.exe
        C:\Users\Admin\AppData\Local\Temp\vo0xz1.exe -dBCAF7A9000C71CC3F405597E0D4937C41EC1ADCAE2C2891DEE9E245202E5DF83106D918682FF44247409F06E04032138EAEEA456E99FA988EEDA047DC3B574D2C54616A0091A6ACDC9F49A1B0FF4E302002A4B01354B0CFAF45561175EA98DFBBFF05A54A4BD69C466A9FA9E499C257E68A891B7F1A92C6E96B57C3C0F7F72C42427EE459EAB588B0144F0A711D8CF4164B8A7A78C82C18CA72CD6B754B9AC475902A32984DB908C8FD59EC703A30C927A00FF4CB2A7C4713FC42FAFEAAF05D2027C8B8E2573AC41442864F1FB7A441470DC4A08516A6EE3B0618AF5CD77865005C1F5FE8C488330976AE37318CE1F4B490B786D94E53882913F26A43AC2772F876773DC08902F873CC4FDC6B5F9885A4CD0BBF3EAC8DC70B7F685C3AF17615AECA7D73A236309242712D2A9717AA64DFD318348FF7F52613574681EE8850EBEDA8D3045AD01A92A8E9EC39027C0E314211B82F0C101D3E563AFD0A5E3F4863636BED199B1F4E942E71A71E2F623E96DBE43A9FA5B29D895D38EFD90DD4313FE240B4A8D7E1CE21EE594BEC23AC49F5D1734282E3C041B605C907212528A3D240A9A6BD3
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:992
        • C:\Windows\SysWOW64\net.exe
          net.exe stop "Security Center"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1204
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Security Center"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1984
        • C:\Windows\SysWOW64\sc.exe
          sc config wscsvc start= DISABLED
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:1144
        • C:\Windows\SysWOW64\net.exe
          net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1964
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:524
        • C:\Windows\SysWOW64\sc.exe
          sc config SharedAccess start= DISABLED
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2340
      • C:\Users\Admin\AppData\Local\Temp\vo0xz1.exe
        C:\Users\Admin\AppData\Local\Temp\vo0xz1.exe -dA1B29A709F58EE3159A8C3E47531BF4C34EB86E16C4C56C23848641255B2570B463B4B5CB2CF48289CE10D936067A3BA9D9911E3790F2908D5E14930780E7ADC38BB64D29E8DE344AA9744C5956E7796C5EFB2F853D06195D672513C42AE780F287BD0DD9E8314B4865564371EDA2075FB397641D691714BDCE898A75C2E56E50801BE072A0771A16F59ABFB4381C548D132A9AA19120F32C8427D15AF445A8C09619AE7FB94CEEFE7B895DA8E3FC9621871D9687654308BBCBD9CE2645608D09BE811190A4F40A8AFD2E078C745D196E24FD39386BD097218C9D25DE32624FF70BF11EE90211DDDC7358829F83EC3937E4CA4BD225B0FCD7EC33CB9D73BB5E37989C67E0791F95E729DCBF76927C40B7FD698A26240F76FCE8F367F2886FFD4E6A89D7B276CAA952F672548A4B939C3B5783D81A0D2B69329065F22FF928838287F4336E94544C7C0D054077196C631310B601274B481B7F03C93E6C4D313A3F27AA6EE86C31CB726DB54C7D90C51D543BE0E5DB8CACC81C598EF8222BCA64B321DF235781AC834A2D3631F26E6FE3C7E9D939685B24D738849D04D001587541C8B942176E8
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1692
        • C:\Windows\SysWOW64\net.exe
          net.exe stop "Security Center"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2760
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Security Center"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3064
        • C:\Windows\SysWOW64\sc.exe
          sc config wscsvc start= DISABLED
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:1588
        • C:\Windows\SysWOW64\net.exe
          net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1676
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2768
        • C:\Windows\SysWOW64\sc.exe
          sc config SharedAccess start= DISABLED
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2748
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\4wb4y7e22.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\4wb4y7e22.bat
    Filesize

    218B

    MD5

    8403dc3b6b6b579277425ea932cd85e1

    SHA1

    2544934914b61b56a2a30dd879fbdeeb127c0f98

    SHA256

    823c9292d3e3d560262b43da21b44e2eeea21d3e295b62954f9572338a9cc0c0

    SHA512

    49e6ff322c63d86bd59a50664f408301a44c5cc11ca9e3b926d5d116c9b979b6f308c4098e2fa6ea73b21d1c41c856c90f0fa80382711b25cba298955a377206

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vo0xz1.exe
    Filesize

    37KB

    MD5

    113de567b602ba220e0b39a41cd6e822

    SHA1

    0c04c9114bce6ece5ff0d024d07428a7180d11e3

    SHA256

    704a0149a7ff05d10390fffe02a658c55b7820d5a8c81142e9d2565b71b91b4d

    SHA512

    555e854a707bac9d8352d047b333eb2cad1be8854fc3b57e80a335ac01ae21dc80f143d2b008e428881bffda6b4653a043da4655ad467f41f4c939e1c2fbe2fb

    Download Submit

  • memory/992-31-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/992-42-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/992-37-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/992-34-0x0000000003540000-0x00000000045A2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1692-63-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1692-58-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1692-56-0x0000000003400000-0x0000000004462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2656-29-0x0000000002BD0000-0x0000000002BFB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2656-35-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2656-26-0x00000000033D0000-0x0000000004432000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2656-45-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2656-57-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2724-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2724-24-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2724-12-0x0000000004100000-0x000000000412B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2724-11-0x0000000004100000-0x000000000412B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2724-3-0x0000000003B70000-0x0000000003EB7000-memory.dmp

    Filesize

    3.3MB

    Download