Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2e391c25a1...18.exe

windows7-x64

8

2e391c25a1...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 08:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe

  • Size

    391KB

  • MD5

    2e391c25a113b890b3f4dd5dc81230e5

  • SHA1

    61537ea107c566eeae6d1a476e0feac67c2c21d8

  • SHA256

    bdbac2f17795626b5f2c7174327e118b212eee9ea7f291113661cf91dd5fb59c

  • SHA512

    708a29e55e0e7962b9e039a7e5205210ea689d3dabf36bd43405d96265cfd4a750975ef7a19f4bfe25df9de2da53be9e150f03d84a8433c1f625cd6380825e5a

  • SSDEEP

    6144:OY9GYX5o45hdzgdfmgFL1yISqsZXj3vjw7a144ghCgOVXlfYfpdhZacivDgr+C:OhmjvdzJgFkdj3rGro1mWcirgb

Score
8/10
adwarebootkitdiscoverypersistencestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 54 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 13 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4bl4.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2812
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/c6cb.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2792
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/353r.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2808
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b33o.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2880
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b33o.dll"
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2092
    • C:\Windows\SysWOW64\36bd.exe
      C:\Windows\system32/36bd.exe -i
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2992
    • C:\Windows\SysWOW64\36bd.exe
      C:\Windows\system32/36bd.exe -s
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2612
    • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
      C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2024
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll, Always
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:584
  • C:\Windows\SysWOW64\36bd.exe
    C:\Windows\SysWOW64\36bd.exe
    1⤵
    • Drops file in Drivers directory
    • Executes dropped EXE
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll,Always
      2⤵
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll
    Filesize

    115KB

    MD5

    f4e4aa7a94e1411c7cb0e1e5d52eb1b7

    SHA1

    94cb110206ffcc54c830fc77c99ba5acf412b325

    SHA256

    a7ba7ca8ff82a848139674d88d2ca142bf76d9632abfc984478e0c831305f3a7

    SHA512

    1fd76c71869d5870e9fef0a4a8f7580c01ab2f061dba38cc02f58e58d54ec19b7aadf1ab8c393034e5c82abd0adf754cceb9dc594113c1db1d18f86687d1b0c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll
    Filesize

    425KB

    MD5

    337c5831d26704628074da5d71550ac6

    SHA1

    fa60ef4505986ef0abce78b7a5553e8b37e8eb2b

    SHA256

    91d1072d527434771213336a48948cdef264e1fabb7d1af987a14842cb8c9621

    SHA512

    01bd751c3d436da3746a1ff6739d5a01446a501da583ff5fc095a5da82d858524f98de00417584c2f81589b152919568ea2300881e45ef5f31bc8e0ed9bb5dbf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe
    Filesize

    144KB

    MD5

    3ba03faeee768eec0fb7ebab8c3ede84

    SHA1

    9098cc99395c766487b736b52ca0114ea2d67e82

    SHA256

    59a1f5456aeb7954c13ffcfb096e9aaa61afcabdea4904b4c9e1025fce2e4e3d

    SHA512

    1bcb3a86fcb2388098f4e19083c82d12ed7cabf8a779551c5fc9355881f6bbf4b3d34385d88e5024e7b71aea9a82d169fcce9eebc89b77d0db1c75acd7aeec1f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ksa4\tmp.exe
    Filesize

    136KB

    MD5

    86dc6028dd39c64b1681892865b33888

    SHA1

    5b11fc34b36e131f31a5fef3c8e320b49963ca98

    SHA256

    fd3eb7acf6bd5eba77d90ea4329aebf6ef5c51a148f167900a251d843fa73d93

    SHA512

    a9205faa705f4667e038c9b0b22321f202bcb10f1264edb3853718c8904c6dc4c21f093cb315f75999374da82f193d3110f9364c8e0ed86d99b41f1a1f4b3263

    Download Submit

  • \Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    Filesize

    104KB

    MD5

    d81cf0de59a7e8e31f69184902622cc4

    SHA1

    badcdb2b96c0145dba5c3207e2d78e9a292863fa

    SHA256

    901c7c8da35c896b70afcca251536fd6ff50f3915c3dfc5e028c2e43e6577c2a

    SHA512

    5570172ebebcc55c29593a828894b153ba16cf787d5b592a1f20636dcb826922674b824b8c46c4f597f2ccc84f68d25135f87ee7a3af5d8dfe039ab48ae4c4c4

    Download Submit

  • memory/1792-3-0x0000000000260000-0x0000000000262000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1792-2-0x0000000000300000-0x000000000037F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1792-1-0x0000000000300000-0x000000000037F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1792-0-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1792-134-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2020-155-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-165-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-138-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-140-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-143-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-148-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-150-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-152-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-189-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-157-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-160-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-161-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-163-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-88-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-167-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-169-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-171-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-174-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-173-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-176-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-179-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-178-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-181-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-182-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2020-185-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2092-62-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download