Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

16006fc004...18.exe

windows7-x64

10

16006fc004...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2024, 03:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16006fc004311e4f0e2998b79aef3b8b_JaffaCakes118.exe

  • Size

    186KB

  • MD5

    16006fc004311e4f0e2998b79aef3b8b

  • SHA1

    01c4bac22fed4ec60fe07c964d77e4a29fe50bd8

  • SHA256

    58524944709f5765b585b156f9d533b822ded799461fc72285785088f3b8fe8b

  • SHA512

    7daa7043475710a1791177d05bbbfe4922718df022bd8cf98e4708bcc17fdc39f42aeca82ec070ba196fa6c3f8e7eba6d924853e0d6b8a4a183260dde864c835

  • SSDEEP

    3072:woy8j7VnNdrPHaSekwi+mW+2JUoZsZloutnaWo6eSEcfNte4lyArDcoWwVK:g8jZ7rvaU3+mWrnZWloSnaWld11Q4lVG

Score
10/10
latentbotmodiloadersalitybackdoordiscoveryevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Extracted

Family

latentbot

C2

lacamora1997.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • ModiLoader Second Stage 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:800
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:808
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:384
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2652
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:2664
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:2776
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3464
                  • C:\Users\Admin\AppData\Local\Temp\16006fc004311e4f0e2998b79aef3b8b_JaffaCakes118.exe
                    "C:\Users\Admin\AppData\Local\Temp\16006fc004311e4f0e2998b79aef3b8b_JaffaCakes118.exe"
                    2⤵
                    • Modifies firewall policy service
                    • UAC bypass
                    • Windows security bypass
                    • Checks computer location settings
                    • Windows security modification
                    • Checks whether UAC is enabled
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:1256
                    • C:\Windows\mstwain32.exe
                      "C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\16006fc004311e4f0e2998b79aef3b8b_JaffaCakes118.exe"
                      3⤵
                      • UAC bypass
                      • Deletes itself
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Adds Run key to start application
                      • Checks whether UAC is enabled
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of SetWindowsHookEx
                      • System policy modification
                      PID:3740
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                    PID:3644
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                      PID:3848
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:3940
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:4004
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:1120
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            1⤵
                              PID:3692
                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                              1⤵
                                PID:880
                              • C:\Windows\System32\RuntimeBroker.exe
                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                1⤵
                                  PID:4856
                                • C:\Windows\system32\DllHost.exe
                                  C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}
                                  1⤵
                                    PID:1404
                                  • C:\Windows\system32\vssvc.exe
                                    C:\Windows\system32\vssvc.exe
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1432

                                  Network

                                  • flag-us
                                    DNS
                                    196.249.167.52.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    196.249.167.52.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    lacamora1997.zapto.org
                                    mstwain32.exe
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    lacamora1997.zapto.org
                                    IN A
                                    Response
                                  • flag-us
                                    DNS
                                    75.159.190.20.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    75.159.190.20.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    95.221.229.192.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    95.221.229.192.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    28.118.140.52.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    28.118.140.52.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    149.220.183.52.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    149.220.183.52.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    200.163.202.172.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    200.163.202.172.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    241.42.69.40.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    241.42.69.40.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    88.210.23.2.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    88.210.23.2.in-addr.arpa
                                    IN PTR
                                    Response
                                    88.210.23.2.in-addr.arpa
                                    IN PTR
                                    a2-23-210-88deploystaticakamaitechnologiescom
                                  • flag-us
                                    DNS
                                    23.236.111.52.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    23.236.111.52.in-addr.arpa
                                    IN PTR
                                    Response
                                  No results found
                                  • 8.8.8.8:53
                                    196.249.167.52.in-addr.arpa
                                    dns
                                    73 B
                                     147 B
                                     1
                                    1

                                    DNS Request

                                    196.249.167.52.in-addr.arpa

                                  • 8.8.8.8:53
                                    lacamora1997.zapto.org
                                    dns
                                    mstwain32.exe
                                    68 B
                                     128 B
                                     1
                                    1

                                    DNS Request

                                    lacamora1997.zapto.org

                                  • 8.8.8.8:53
                                    75.159.190.20.in-addr.arpa
                                    dns
                                    72 B
                                     158 B
                                     1
                                    1

                                    DNS Request

                                    75.159.190.20.in-addr.arpa

                                  • 8.8.8.8:53
                                    95.221.229.192.in-addr.arpa
                                    dns
                                    73 B
                                     144 B
                                     1
                                    1

                                    DNS Request

                                    95.221.229.192.in-addr.arpa

                                  • 8.8.8.8:53
                                    28.118.140.52.in-addr.arpa
                                    dns
                                    72 B
                                     158 B
                                     1
                                    1

                                    DNS Request

                                    28.118.140.52.in-addr.arpa

                                  • 8.8.8.8:53
                                    149.220.183.52.in-addr.arpa
                                    dns
                                    73 B
                                     147 B
                                     1
                                    1

                                    DNS Request

                                    149.220.183.52.in-addr.arpa

                                  • 8.8.8.8:53
                                    200.163.202.172.in-addr.arpa
                                    dns
                                    74 B
                                     160 B
                                     1
                                    1

                                    DNS Request

                                    200.163.202.172.in-addr.arpa

                                  • 8.8.8.8:53
                                    241.42.69.40.in-addr.arpa
                                    dns
                                    71 B
                                     145 B
                                     1
                                    1

                                    DNS Request

                                    241.42.69.40.in-addr.arpa

                                  • 8.8.8.8:53
                                    88.210.23.2.in-addr.arpa
                                    dns
                                    70 B
                                     133 B
                                     1
                                    1

                                    DNS Request

                                    88.210.23.2.in-addr.arpa

                                  • 8.8.8.8:53
                                    23.236.111.52.in-addr.arpa
                                    dns
                                    72 B
                                     158 B
                                     1
                                    1

                                    DNS Request

                                    23.236.111.52.in-addr.arpa

                                  MITRE ATT&CK Enterprise v15

                                  Reconnaissance

                                  Resource Development

                                  Initial Access

                                  Execution

                                  Persistence

                                  Boot or Logon Autostart Execution

                                  1
                                  T1547

                                  Registry Run Keys / Startup Folder

                                  1
                                  T1547.001

                                  Create or Modify System Process

                                  1
                                  T1543

                                  Windows Service

                                  1
                                  T1543.003

                                  Privilege Escalation

                                  Abuse Elevation Control Mechanism

                                  1
                                  T1548

                                  Bypass User Account Control

                                  1
                                  T1548.002

                                  Boot or Logon Autostart Execution

                                  1
                                  T1547

                                  Registry Run Keys / Startup Folder

                                  1
                                  T1547.001

                                  Create or Modify System Process

                                  1
                                  T1543

                                  Windows Service

                                  1
                                  T1543.003

                                  Defense Evasion

                                  Abuse Elevation Control Mechanism

                                  1
                                  T1548

                                  Bypass User Account Control

                                  1
                                  T1548.002

                                  Impair Defenses

                                  4
                                  T1562

                                  Disable or Modify System Firewall

                                  1
                                  T1562.004

                                  Disable or Modify Tools

                                  3
                                  T1562.001

                                  Modify Registry

                                  6
                                  T1112

                                  Credential Access

                                  Discovery

                                  Query Registry

                                  1
                                  T1012

                                  System Information Discovery

                                  3
                                  T1082

                                  System Location Discovery

                                  1
                                  T1614

                                  System Language Discovery

                                  1
                                  T1614.001

                                  Lateral Movement

                                  Collection

                                  Command and Control

                                  Exfiltration

                                  Impact

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Windows\cmsetac.dll
                                    Filesize

                                    33KB

                                    MD5

                                    7c3ff4d4d394fde7c693d04c488a55f8

                                    SHA1

                                    ae2b2acc7e91a910f9075e0e095b528e97827ba4

                                    SHA256

                                    4878bf71fd37ffac1fd6f5153357298544d0ef1f3a114c1f0451befcb85c59a8

                                    SHA512

                                    33c601d9e706cff0c3dce8280b040c361aa51004fd20b51946469b6a02453def5a7aad1e5f58bec3435cc6e25470155d07f71dc0f81ec642efc53215d7be316a

                                    Download Submit

                                  • C:\Windows\mstwain32.exe
                                    Filesize

                                    186KB

                                    MD5

                                    16006fc004311e4f0e2998b79aef3b8b

                                    SHA1

                                    01c4bac22fed4ec60fe07c964d77e4a29fe50bd8

                                    SHA256

                                    58524944709f5765b585b156f9d533b822ded799461fc72285785088f3b8fe8b

                                    SHA512

                                    7daa7043475710a1791177d05bbbfe4922718df022bd8cf98e4708bcc17fdc39f42aeca82ec070ba196fa6c3f8e7eba6d924853e0d6b8a4a183260dde864c835

                                    Download Submit

                                  • C:\Windows\ntdtcstp.dll
                                    Filesize

                                    7KB

                                    MD5

                                    67587e25a971a141628d7f07bd40ffa0

                                    SHA1

                                    76fcd014539a3bb247cc0b761225f68bd6055f6b

                                    SHA256

                                    e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

                                    SHA512

                                    6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

                                    Download Submit

                                  • memory/1256-16-0x0000000003B90000-0x0000000003B92000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/1256-44-0x0000000000400000-0x0000000000463000-memory.dmp

                                    Filesize

                                    396KB

                                    Download

                                  • memory/1256-9-0x0000000002380000-0x000000000343A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/1256-5-0x0000000002380000-0x000000000343A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/1256-4-0x0000000002380000-0x000000000343A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/1256-14-0x0000000002380000-0x000000000343A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/1256-18-0x0000000002380000-0x000000000343A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/1256-15-0x0000000002380000-0x000000000343A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/1256-19-0x0000000002380000-0x000000000343A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/1256-20-0x0000000003B90000-0x0000000003B92000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/1256-17-0x00000000046C0000-0x00000000046C1000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/1256-0-0x0000000000400000-0x0000000000463000-memory.dmp

                                    Filesize

                                    396KB

                                    Download

                                  • memory/1256-6-0x0000000002380000-0x000000000343A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/1256-7-0x0000000002380000-0x000000000343A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/1256-2-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

                                    Filesize

                                    2.0MB

                                    Download

                                  • memory/1256-30-0x0000000003B90000-0x0000000003B92000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/1256-33-0x0000000002380000-0x000000000343A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/1256-1-0x0000000002380000-0x000000000343A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3740-52-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

                                    Filesize

                                    2.0MB

                                    Download

                                  • memory/3740-56-0x0000000003260000-0x000000000326E000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/3740-32-0x0000000000400000-0x0000000000463000-memory.dmp

                                    Filesize

                                    396KB

                                    Download

                                  • memory/3740-59-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

                                    Filesize

                                    2.0MB

                                    Download

                                  • memory/3740-60-0x0000000000400000-0x0000000000463000-memory.dmp

                                    Filesize

                                    396KB

                                    Download

                                  • memory/3740-64-0x0000000003260000-0x000000000326E000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/3740-69-0x00000000033C0000-0x000000000447A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3740-61-0x00000000033C0000-0x000000000447A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3740-68-0x0000000000400000-0x0000000000463000-memory.dmp

                                    Filesize

                                    396KB

                                    Download

                                  • memory/3740-63-0x0000000000870000-0x0000000000878000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  We care about your privacy.

                                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.