Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

2748a6ddc4...18.exe

windows7-x64

7

2748a6ddc4...18.exe

windows10-2004-x64

7

$PLUGINSDI...ig.dll

windows7-x64

3

$PLUGINSDI...ig.dll

windows10-2004-x64

3

$PLUGINSDI...dl.dll

windows7-x64

3

$PLUGINSDI...dl.dll

windows10-2004-x64

3

$PLUGINSDI...el.dll

windows7-x64

7

$PLUGINSDI...el.dll

windows10-2004-x64

7

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDIR/fct.dll

windows7-x64

3

$PLUGINSDIR/fct.dll

windows10-2004-x64

3

$PLUGINSDI...ss.dll

windows7-x64

3

$PLUGINSDI...ss.dll

windows10-2004-x64

3

FineTop.dll

windows7-x64

6

FineTop.dll

windows10-2004-x64

6

FineTop.exe

windows7-x64

6

FineTop.exe

windows10-2004-x64

6

adc.dll

windows7-x64

3

adc.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/10/2024, 23:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2748a6ddc425bf3abc087daadb3704f2_JaffaCakes118.exe

  • Size

    266KB

  • MD5

    2748a6ddc425bf3abc087daadb3704f2

  • SHA1

    17f117b4d73fc5a110fac8e34f39312fc5010b5a

  • SHA256

    4fcda09ac8e90aaf0daa6b200ddd0a69fdc3deaa82eae60016342f289e694035

  • SHA512

    3f748c25b3a593b2e98d21356e2faa6a7c9d25d3fea25f45fd5013fb8928c152f977181aef3952f9b739955eeb2368a859fcad351f13498ae22207ef40a4d525

  • SSDEEP

    6144:MH1JGf75+ZPPfnE2Qyn20U65ibYMYC/gMXG6lCHB75+ZPPfnE2Qyn20UQ:c10fF+ZPPfnEUnNwMhF+ZPPfnEUnT

Score
7/10
adwarediscoverypersistencestealerupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2748a6ddc425bf3abc087daadb3704f2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2748a6ddc425bf3abc087daadb3704f2_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\FineTop\FineTop.dll"
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies registry class
      PID:2836
    • C:\Program Files (x86)\FineTop\FineTop.exe
      "C:\Program Files (x86)\FineTop\FineTop.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 /s "C:\Program Files (x86)\FineTop\FineTop.dll"
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:2092
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\system32\explorer.exe
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2552

Network

  • flag-us
    DNS
    finetop.topguide.co.kr
    FineTop.exe
    Remote address:
    8.8.8.8:53
    Request
    finetop.topguide.co.kr
    IN A
    Response
  • flag-us
    DNS
    finetop.topguide.co.kr
    FineTop.exe
    Remote address:
    8.8.8.8:53
    Request
    finetop.topguide.co.kr
    IN A
    Response
No results found
  • 8.8.8.8:53
    finetop.topguide.co.kr
    dns
    FineTop.exe
    68 B
     130 B
     1
    1

    DNS Request

    finetop.topguide.co.kr

  • 8.8.8.8:53
    finetop.topguide.co.kr
    dns
    FineTop.exe
    68 B
     130 B
     1
    1

    DNS Request

    finetop.topguide.co.kr

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\FineTop\FineTop.dll
    Filesize

    130KB

    MD5

    82a6904974f4f20c147fce776663b1b0

    SHA1

    eee8e0a93cb1be3dcfef2699f154f0881e68dda4

    SHA256

    407a5ed628dbd6f1c2cea2276b4ea98f053160dd6f5ee3007dcbad02382a1a77

    SHA512

    50dfb3c8e67e1ef794f3dd1b4caaa515bfe342e17e4bb73dd2b1e58a2ac61e327bed2395c1f36d8f2a69de8c5a73ce03eda03a9c0c5515b5965191edfb22c005

    Download Submit

  • C:\Program Files (x86)\FineTop\adc.acc
    Filesize

    28KB

    MD5

    72b966950a0f53df4ce2fdb19679c3c6

    SHA1

    ccfff4ecc68608a6231e75e175d2aeba62d37fa5

    SHA256

    aa3c21a88e93709f149284cc17a37439d3f7f90b785119fee5ef330902718b65

    SHA512

    84149a210748bc45f02d7f5e12b37e91eba44500d7222efaa46228b1330ffe0dfc1efbb612a67a562ddffc3048ba5d67426b739ac950e8da27f0ee9e86707e33

    Download Submit

  • \Program Files (x86)\FineTop\FineTop.exe
    Filesize

    42KB

    MD5

    61c81941b91b1d502971bd42a29806a1

    SHA1

    72ee7b2fb665f01415a00267cbc1a5d385d1f0cf

    SHA256

    6e0d4e65b147d69b249c40c1f9cc5ea82ae3179777bd25462eef3449d3bbbdb8

    SHA512

    0583df8495ed3c252713bfa2b0b38b9a2aac8ce22ed5e50e42cf5a7d94e903e605614a5ab507a0b10497f434759c945eec7ae1f124f530fe3d488f4ec661de7f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsjD950.tmp\IpConfig.dll
    Filesize

    114KB

    MD5

    a3ed6f7ea493b9644125d494fbf9a1e6

    SHA1

    ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

    SHA256

    ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

    SHA512

    7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsjD950.tmp\NSISdl.dll
    Filesize

    14KB

    MD5

    a5f8399a743ab7f9c88c645c35b1ebb5

    SHA1

    168f3c158913b0367bf79fa413357fbe97018191

    SHA256

    dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

    SHA512

    824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsjD950.tmp\SelfDel.dll
    Filesize

    4KB

    MD5

    7cff7fe2caea5184d98c147e7e263132

    SHA1

    21f39d3d0dd5f7198d67ef30e95d10ae3460093e

    SHA256

    281c39b733579e031c62bdd247b41543ece1fe3bd6eda26fc8ad474b10f33101

    SHA512

    fb1161b8571d1d0c67e2df0d571b08f5e7a73f81409aed847344154d02406910629181bcce4e18e998ec472f51a6a1b40d956a010abdd10e850413aafa87808a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsjD950.tmp\UAC.dll
    Filesize

    13KB

    MD5

    29858669d7da388d1e62b4fd5337af12

    SHA1

    756b94898429a9025a04ae227f060952f1149a5f

    SHA256

    c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62

    SHA512

    6f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsjD950.tmp\fct.dll
    Filesize

    4KB

    MD5

    e3f3809f51c7982d96aaf9c090f7d176

    SHA1

    7494daa8000c0b31c58d94edc509232569a4606f

    SHA256

    010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

    SHA512

    3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsjD950.tmp\nsProcess.dll
    Filesize

    4KB

    MD5

    05450face243b3a7472407b999b03a72

    SHA1

    ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

    SHA256

    95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

    SHA512

    f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

    Download Submit

  • memory/2148-34-0x0000000002980000-0x00000000029A6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2148-0-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2148-50-0x0000000074860000-0x0000000074869000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2148-67-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.