Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

4161be02a8...18.exe

windows7-x64

8

4161be02a8...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2024, 18:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4161be02a8851d5d6e998c26484cf32c_JaffaCakes118.exe

  • Size

    1.7MB

  • MD5

    4161be02a8851d5d6e998c26484cf32c

  • SHA1

    975f84b0af0acbcdfd162412debff0ad0acbccf2

  • SHA256

    d9a61b60685a682cbb1687fd6700cffc9ce9d97520abedec34ef7510364f1d2f

  • SHA512

    c8f8b4b9f904187662cb1b7a5fc038e87576143f636b33f481fb14da9619657bc2f784a16f4d1ef245e0790e152b8959000bfabced60ddbe3afebf9999212de8

  • SSDEEP

    6144:DX5BL26jUkbAzL44Xn095y7pdUn0PS3qnfMFad1SyeY0MIXh4r8gpVj:DzLNUbQ4k9M7HOV3in05aFp

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 14 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4161be02a8851d5d6e998c26484cf32c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4161be02a8851d5d6e998c26484cf32c_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Boot or Logon Autostart Execution: Active Setup
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:728
    • C:\Users\Admin\AppData\Local\Temp\msmonobj.exe
      "C:\Users\Admin\AppData\Local\Temp\msmonobj.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:32
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4E01.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\msmonobj.exe""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1212
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:916
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonobj.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4904
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3748
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonobj.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:5084
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1432
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonobj.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1296
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3256
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonobj.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3968
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 928
        3⤵
        • Program crash
        PID:1300
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 936
        3⤵
        • Program crash
        PID:5108
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 944
        3⤵
        • Program crash
        PID:2516
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 32 -ip 32
    1⤵
      PID:4024
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 32 -ip 32
      1⤵
        PID:1860
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 32 -ip 32
        1⤵
          PID:760

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        3
        T1547

        Active Setup

        1
        T1547.014

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Browser Extensions

        1
        T1176

        Privilege Escalation

        Boot or Logon Autostart Execution

        3
        T1547

        Active Setup

        1
        T1547.014

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Defense Evasion

        Hide Artifacts

        1
        T1564

        Hidden Files and Directories

        1
        T1564.001

        Modify Registry

        4
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        1
        T1012

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\4E01.tmp.cmd
          Filesize

          168B

          MD5

          e7efc2c945a798b4dab3fe50f1524592

          SHA1

          0bb937ccd89e40c91c0e58b376873ef909fe805b

          SHA256

          624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc

          SHA512

          e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\D5CE.tmp
          Filesize

          18KB

          MD5

          76e434830215fd9c77eb7f57969e7b1e

          SHA1

          24f408df8d616f0d3f2cf301e096931bdb3c0849

          SHA256

          29495b02e7293660b561f0af91d1d9a0f252741bfa3e29fa1173108672a9f381

          SHA512

          76c9cfdda594f57115a93dc714df9ecce90d848ad639cd6f8ce60690264869ba54f748f3ade43ad899802bd2698a4a5440f38dbfb8fe786e55b86539a5873166

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\D5CF.tmp
          Filesize

          139KB

          MD5

          0bbe5d253842b597c685769485bd4852

          SHA1

          1c884ec06124288cf85911478a7e40907988ceb1

          SHA256

          0ffed317a85156a9eaf2c38131d87b5656ff21d7a375862c5c0e4c469dce899c

          SHA512

          ec9342ea78398362209f7524610b540f7caf974f35ea9852aa66ab77382cb5586d1f83527592103b09c9f4e83b272116c3d7f161fe726ea6c212a04e5dbdec17

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\D5D0.tmp
          Filesize

          43KB

          MD5

          66ab2b713d1503b7cb257e7a92c570b1

          SHA1

          2ac583f5b9eb395b861d03830776ac0f103acc67

          SHA256

          fc1e056d5ae7c327340e8e7c2e50af901a41a75e4bcb084d519c2d6a6d0448aa

          SHA512

          6c5ba12b717942a6f1d943d65ebf22b00533b789ccde8b8373bd20e15885f5380eb5fca75d55df8519327e40edbbcc2176a50880f5fb2265106e691849302083

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\advsec32.dll
          Filesize

          4KB

          MD5

          3adea70969f52d365c119b3d25619de9

          SHA1

          d303a6ddd63ce993a8432f4daab5132732748843

          SHA256

          c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665

          SHA512

          c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\msmonobj.exe
          Filesize

          400KB

          MD5

          704381812f4cc3c5b3875ea33232c842

          SHA1

          a74eceea45207a6b46f461d436b73314b2065756

          SHA256

          a7b230593aa43c701c30862d3054b4510ed1dea1fd5f219b1c3bc11321bab73b

          SHA512

          6796b778b9cd781beac25b7a6a3e8c5af86afd3c30b08e3cae4895f35f400b0e65b7422a9c6e6026d67c093022932829961a1a6d6ec966fd895cc24a2083643e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          Filesize

          18KB

          MD5

          b3624dd758ccecf93a1226cef252ca12

          SHA1

          fcf4dad8c4ad101504b1bf47cbbddbac36b558a7

          SHA256

          4aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef

          SHA512

          c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838

          Download Submit

        • C:\Windows\SysWOW64\usburlcms.exe
          Filesize

          1.7MB

          MD5

          4161be02a8851d5d6e998c26484cf32c

          SHA1

          975f84b0af0acbcdfd162412debff0ad0acbccf2

          SHA256

          d9a61b60685a682cbb1687fd6700cffc9ce9d97520abedec34ef7510364f1d2f

          SHA512

          c8f8b4b9f904187662cb1b7a5fc038e87576143f636b33f481fb14da9619657bc2f784a16f4d1ef245e0790e152b8959000bfabced60ddbe3afebf9999212de8

          Download Submit

        • memory/32-206-0x0000000000410000-0x0000000000420000-memory.dmp

          Filesize

          64KB

          Download

        • memory/32-205-0x0000000008780000-0x00000000087AA000-memory.dmp

          Filesize

          168KB

          Download

        • memory/32-208-0x0000000000400000-0x00000000022AB000-memory.dmp

          Filesize

          30.7MB

          Download

        • memory/32-209-0x0000000008780000-0x00000000087AA000-memory.dmp

          Filesize

          168KB

          Download

        • memory/32-210-0x0000000000410000-0x0000000000420000-memory.dmp

          Filesize

          64KB

          Download

        • memory/32-207-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

          Download

        • memory/32-27-0x0000000000400000-0x00000000022AB000-memory.dmp

          Filesize

          30.7MB

          Download

        • memory/32-222-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/32-223-0x0000000000410000-0x0000000000420000-memory.dmp

          Filesize

          64KB

          Download