Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3552ccebe1c...18.exe
windows7-x64
7552ccebe1c...18.exe
windows10-2004-x64
7$0/uninstall.exe
windows7-x64
7$0/uninstall.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$0/zwankysearch.dll
windows7-x64
1$0/zwankysearch.dll
windows10-2004-x64
1$0/zwankysearch.exe
windows7-x64
3$0/zwankysearch.exe
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 03:14
Static task
static1
Behavioral task
behavioral1
Sample
552ccebe1ceb972e667a506d15305095_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
552ccebe1ceb972e667a506d15305095_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$0/uninstall.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$0/uninstall.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$0/zwankysearch.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$0/zwankysearch.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$0/zwankysearch.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
$0/zwankysearch.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
$0/uninstall.exe
-
Size
78KB
-
MD5
490071c63a8583c44546421214809399
-
SHA1
f2268f3629b25b73b7f3ad984d867be01c19a670
-
SHA256
8f75ba9703c28b460025e05615222ed2b31e5eed829bfbab30bb029e873c0c24
-
SHA512
00301e21a10071a875b41ab8dbb715fad81af1c28f2badc8d2580b7b40ef52315fbd4af5e1e9a33c2070c3dc5c818632f0bed98f6e46d0869a3859997e12425b
-
SSDEEP
1536:PEkjY1zy214Qay0DGkJ7qAELVigJGo5hcpw/1q792sX7Ia12/DY:8kjAJ4dDGkJ+AI0bo1qRka0/U
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2732 Au_.exe -
Loads dropped DLL 4 IoCs
pid Process 2192 uninstall.exe 2732 Au_.exe 2732 Au_.exe 2732 Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uninstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Au_.exe -
NSIS installer 1 IoCs
resource yara_rule behavioral3/files/0x000500000001870c-2.dat nsis_installer_1 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2732 2192 uninstall.exe 30 PID 2192 wrote to memory of 2732 2192 uninstall.exe 30 PID 2192 wrote to memory of 2732 2192 uninstall.exe 30 PID 2192 wrote to memory of 2732 2192 uninstall.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\$0\uninstall.exe"C:\Users\Admin\AppData\Local\Temp\$0\uninstall.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$0\2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
628B
MD5fa4cf1f9e830715b3beb07ab98f5fecb
SHA19f20abbdafeca383bb4c2b1ba9a5283a66bdc57e
SHA256c2f9501acd84a9afc346a9188b4c0cfedcf09bd9670259ef9e6f98d69e98152a
SHA512745c7957bba982c3e8d6419c48939e4755489e9090ef60811790396b2e62da7a052d4ee25e8ed82d59265abe8294a41232d4246a645a3f4ce74c59f98f72ddcd
-
Filesize
703B
MD54978cf47380963df6124b520d876fb95
SHA10bebec1ed9cc0c57f05cbde146f4676ec53b9186
SHA25675b7e11c5d35e1188ba047038972a7a117928e90595bc6454aa7f1b28a93c79d
SHA5126156b50106be202090bcc0c7d23426127408b2fdcb661a586595d3096c56ab54ef90b66036a7cdd1a6798a17b3038d3d13f7699c3f7fecea9717789ad2eedaeb
-
Filesize
628B
MD5a604abb3529e61794bd73997cb450112
SHA1ae0d61aaa43bb648c64122ec34ec71f347bfd74b
SHA25618e7ddde4ea4b004e6d693e920a6f3a07fc82f417b363982ddd995c4e8412bab
SHA512cbcd3f987893c4a8fac86b85085ceacc4ce10ae6795d41e35c1dc935c14a5157e8986cdf5cd433606a2dc0a2e70e97f2752798bd0a61eccdf40d7e16470bdf01
-
Filesize
13KB
MD5d765c492c21689e3d9d61634371fd861
SHA1ac200933671ae52c9d5544d0e2e8e9144d286c83
SHA256551e6042dd494ea01549555ffc194ab9729da09058ec714eb368dd06642c9bbc
SHA5129919a9e848c8f1e26c75d0d29207571e4b86a4140bd554743d2c1f8bd7f386fe4919345b163d89a5d907fb165e435ba0ac5f6b1101713636141f156a420e2e0f
-
Filesize
10KB
MD5fe24766ba314f620d57d0cf7339103c0
SHA18641545f03f03ff07485d6ec4d7b41cbb898c269
SHA256802ef71440f662f456bed6283a5ff78066af016897fe6bfd29cac6edc2967bbd
SHA51260d36959895cebf29c4e7713e6d414980139c7aa4ed1c8c96fefb672c1263af0ce909fb409534355895649c0e8056635112efb0da2ba05694446aec2ca77e2e3
-
Filesize
78KB
MD5490071c63a8583c44546421214809399
SHA1f2268f3629b25b73b7f3ad984d867be01c19a670
SHA2568f75ba9703c28b460025e05615222ed2b31e5eed829bfbab30bb029e873c0c24
SHA51200301e21a10071a875b41ab8dbb715fad81af1c28f2badc8d2580b7b40ef52315fbd4af5e1e9a33c2070c3dc5c818632f0bed98f6e46d0869a3859997e12425b