Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

37967ba44e...18.exe

windows7-x64

10

37967ba44e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2024, 00:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37967ba44e377bf383060738917471b5_JaffaCakes118.exe

  • Size

    66KB

  • MD5

    37967ba44e377bf383060738917471b5

  • SHA1

    08cb7cc4753e877636ceb0a07746ecc5e4aeb8da

  • SHA256

    9cb1c40e2895ed31ddf84be6be358d7c93cccc8678bf42638804562fb084a28e

  • SHA512

    7d829e4348db29f3db9eca0c9504e76e5f2345423e11baa78f6aa04e1a96d007c739e257b32d8f5e919e88a541c5be93af571a96b8da7334156130dc79b371ee

  • SSDEEP

    768:Vi7LZZ0i4fshf0hM7KXW+ekxLx5E+5dw9r47bWAtx/Yj60qyDpVXcrQVFnjOqE7L:snZaW+XBnd/x5dw9etx/YjOO/srQT

Score
10/10
discoveryevasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 2 IoCs
    evasion
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 7 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37967ba44e377bf383060738917471b5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\37967ba44e377bf383060738917471b5_JaffaCakes118.exe"
    1⤵
    • Modifies firewall policy service
    • Adds Run key to start application
    • Modifies WinLogon
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\miiwlon.dll",miiwlon C:\Users\Admin\AppData\Local\Temp\37967ba44e377bf383060738917471b5_JaffaCakes118.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1364
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:3044
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Rundll32" dir=in action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

2
T1562.004

Modify Registry

3
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\miiwlon.dll
    Filesize

    17KB

    MD5

    81c4f37886cfc9673ff4b63b75906d2a

    SHA1

    56d6763b53c241e12859d32160a179951209f718

    SHA256

    d9b9b6b50a4f99fc4fa01569b90043564d4d0ec2d2326d555c82e88be072bca1

    SHA512

    068cd015107336918d05df3a9970b3f77e36fb4776fd31304e7cac709d826058613e1f3660e2e05cde7d188e5e34241f8f87f70adb192c6ff20c0f27efd2590d

    Download Submit