Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

139e9a9423...18.exe

windows7-x64

3

139e9a9423...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    94s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2024, 13:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    139e9a94234891656c1dbbebe1ee981b_JaffaCakes118.exe

  • Size

    68KB

  • MD5

    139e9a94234891656c1dbbebe1ee981b

  • SHA1

    efaf819f9293480b9083a3a7a39ef74c2f73e3be

  • SHA256

    cf1a099fd2e533b225e49d55c45b9276517acd22dd41a56edeb9f2742d298e38

  • SHA512

    929fa0267dc49bfee8764f5f30a000cbd2373e715c9be88bdf0a0c6c8bd33658464f226126cc9565af881b4134d84d8d407005a03949239addfc6e497abda2a5

  • SSDEEP

    1536:k9gswK6mz5xayrETcKa/KGrJWrQpI4OJq3BMVNf+XZWjxg:kPwpmnhrfxSFQeRJq3yVNf+pWdg

Score
8/10
adwarediscoverypersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Loads dropped DLL 2 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs

    Suspicious Windows Authentication Registry Modification.

    persistenceprivilege_escalation
  • Drops file in System32 directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3404
      • C:\Users\Admin\AppData\Local\Temp\139e9a94234891656c1dbbebe1ee981b_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\139e9a94234891656c1dbbebe1ee981b_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Installs/modifies Browser Helper Object
        • Boot or Logon Autostart Execution: Authentication Package
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1856

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\vegotepa.dll
      Filesize

      68KB

      MD5

      7334d97ee6a3fa8188917de783adbb59

      SHA1

      5efb8ca411e92142aa0ffea9a0ac7450be5c69b5

      SHA256

      2261504d5b13b05e52ad9ffb4df782d1004bb1ae21916683841901daaa5422a3

      SHA512

      44c27821fd336fe6731962dad76f686f7528f6fb1514a2fcfd3b604bcb3a3469d9aa54f1d24837e049cdd2aa008cf2236b8b8fb0ec5a10babe7d1f24cf3cd6e5

      Download Submit

    • C:\Windows\SysWOW64\wafetaza
      Filesize

      1KB

      MD5

      4af7ff8164b38f0eb9bf89af1e43e76f

      SHA1

      9a50f8adf6cf4f3738fd8945426e69b5376dfec4

      SHA256

      6824045982bfd6fb50d538efd5eeebc311b6c0ddf4c2d354233604a7b35e17d9

      SHA512

      317c1cf98b91b18a54d0def342638683aa9d240e146488bd06f7395ffead6cb2f5edc5035a3aa274581e672c8253379b07d887c664eee57e80ae7c65219f90e3

      Download Submit

    • memory/1856-22-0x0000000000910000-0x000000000092E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1856-0-0x0000000010000000-0x000000001001D8E6-memory.dmp

      Filesize

      118KB

      Download

    • memory/1856-19-0x0000000000910000-0x000000000092E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1856-2-0x0000000010000000-0x000000001001D8E6-memory.dmp

      Filesize

      118KB

      Download

    • memory/1856-1-0x0000000000910000-0x000000000099F000-memory.dmp

      Filesize

      572KB

      Download

    • memory/1856-23-0x0000000000910000-0x000000000092E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1856-24-0x0000000000910000-0x000000000092E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1856-27-0x0000000000910000-0x000000000099F000-memory.dmp

      Filesize

      572KB

      Download

    • memory/1856-28-0x0000000010000000-0x000000001001D8E6-memory.dmp

      Filesize

      118KB

      Download

    • memory/1856-30-0x0000000000910000-0x000000000092E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1856-32-0x0000000000910000-0x000000000092E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1856-33-0x0000000000910000-0x000000000092D000-memory.dmp

      Filesize

      116KB

      Download