Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

b4026bdd4f...18.exe

windows7-x64

10

b4026bdd4f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2024, 23:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4026bdd4f6ac3acaaa25586d841754b_JaffaCakes118.exe

  • Size

    174KB

  • MD5

    b4026bdd4f6ac3acaaa25586d841754b

  • SHA1

    2f4582c027227db8577daaf5fcbf2e62773bd06c

  • SHA256

    8a5716a47e0214114cb439151f84b6202906b8141468d7f81de88801ed308428

  • SHA512

    06a41752df04ffebf5f06b158bfc9b02a8ee56e5eb789e2b9cfaa8274e7e4c18e2b0de254e15ab2de3ae98d174f5efbae0e2d2519e370ac42a115903f0d9910f

  • SSDEEP

    3072:w6V2H12f5grMRaHfci2uM+hDUcTLb2YLh8rkscx:WH1xf6E/nDsW

Score
10/10
metasploitbackdoordiscoverytrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 29 IoCs
  • Maps connected drives based on registry 3 TTPs 30 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 45 IoCs
  • Suspicious use of SetThreadContext 15 IoCs
  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4026bdd4f6ac3acaaa25586d841754b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b4026bdd4f6ac3acaaa25586d841754b_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Users\Admin\AppData\Local\Temp\b4026bdd4f6ac3acaaa25586d841754b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\b4026bdd4f6ac3acaaa25586d841754b_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Maps connected drives based on registry
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1248
      • C:\Windows\SysWOW64\igfxwd32.exe
        "C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\B4026B~1.EXE
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1228
        • C:\Windows\SysWOW64\igfxwd32.exe
          "C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\B4026B~1.EXE
          4⤵
          • Checks computer location settings
          • Deletes itself
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4036
          • C:\Windows\SysWOW64\igfxwd32.exe
            "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3520
            • C:\Windows\SysWOW64\igfxwd32.exe
              "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Maps connected drives based on registry
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:3200
              • C:\Windows\SysWOW64\igfxwd32.exe
                "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2944
                • C:\Windows\SysWOW64\igfxwd32.exe
                  "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Maps connected drives based on registry
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:3248
                  • C:\Windows\SysWOW64\igfxwd32.exe
                    "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:5092
                    • C:\Windows\SysWOW64\igfxwd32.exe
                      "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Maps connected drives based on registry
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:1480
                      • C:\Windows\SysWOW64\igfxwd32.exe
                        "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                        11⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:2852
                        • C:\Windows\SysWOW64\igfxwd32.exe
                          "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                          12⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Maps connected drives based on registry
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of WriteProcessMemory
                          PID:628
                          • C:\Windows\SysWOW64\igfxwd32.exe
                            "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                            13⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:3240
                            • C:\Windows\SysWOW64\igfxwd32.exe
                              "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                              14⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Maps connected drives based on registry
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2244
                              • C:\Windows\SysWOW64\igfxwd32.exe
                                "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                15⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                PID:592
                                • C:\Windows\SysWOW64\igfxwd32.exe
                                  "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                  16⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Maps connected drives based on registry
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:2100
                                  • C:\Windows\SysWOW64\igfxwd32.exe
                                    "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • System Location Discovery: System Language Discovery
                                    PID:2804
                                    • C:\Windows\SysWOW64\igfxwd32.exe
                                      "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                      18⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Maps connected drives based on registry
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:4932
                                      • C:\Windows\SysWOW64\igfxwd32.exe
                                        "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        • System Location Discovery: System Language Discovery
                                        PID:1764
                                        • C:\Windows\SysWOW64\igfxwd32.exe
                                          "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                          20⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Maps connected drives based on registry
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:5068
                                          • C:\Windows\SysWOW64\igfxwd32.exe
                                            "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            • System Location Discovery: System Language Discovery
                                            PID:2180
                                            • C:\Windows\SysWOW64\igfxwd32.exe
                                              "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                              22⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Maps connected drives based on registry
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:1200
                                              • C:\Windows\SysWOW64\igfxwd32.exe
                                                "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                23⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetThreadContext
                                                • System Location Discovery: System Language Discovery
                                                PID:3420
                                                • C:\Windows\SysWOW64\igfxwd32.exe
                                                  "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                  24⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Maps connected drives based on registry
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  • Modifies registry class
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:3336
                                                  • C:\Windows\SysWOW64\igfxwd32.exe
                                                    "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetThreadContext
                                                    • System Location Discovery: System Language Discovery
                                                    PID:212
                                                    • C:\Windows\SysWOW64\igfxwd32.exe
                                                      "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                      26⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Maps connected drives based on registry
                                                      • Drops file in System32 directory
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:4144
                                                      • C:\Windows\SysWOW64\igfxwd32.exe
                                                        "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1648
                                                        • C:\Windows\SysWOW64\igfxwd32.exe
                                                          "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                          28⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Maps connected drives based on registry
                                                          • Drops file in System32 directory
                                                          • System Location Discovery: System Language Discovery
                                                          • Modifies registry class
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:3624
                                                          • C:\Windows\SysWOW64\igfxwd32.exe
                                                            "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:3616
                                                            • C:\Windows\SysWOW64\igfxwd32.exe
                                                              "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                              30⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Maps connected drives based on registry
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              • Modifies registry class
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              PID:4516
                                                              • C:\Windows\SysWOW64\igfxwd32.exe
                                                                "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                                31⤵
                                                                • Executes dropped EXE
                                                                PID:5092

Network

  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    0.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    107.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    107.12.20.2.in-addr.arpa
    IN PTR
    Response
    107.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-107deploystaticakamaitechnologiescom
  • flag-us
    DNS
    99.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    99.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    0.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    0.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    107.12.20.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    107.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    99.209.201.84.in-addr.arpa
    dns
    72 B
     132 B
     1
    1

    DNS Request

    99.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\igfxwd32.exe
    Filesize

    174KB

    MD5

    b4026bdd4f6ac3acaaa25586d841754b

    SHA1

    2f4582c027227db8577daaf5fcbf2e62773bd06c

    SHA256

    8a5716a47e0214114cb439151f84b6202906b8141468d7f81de88801ed308428

    SHA512

    06a41752df04ffebf5f06b158bfc9b02a8ee56e5eb789e2b9cfaa8274e7e4c18e2b0de254e15ab2de3ae98d174f5efbae0e2d2519e370ac42a115903f0d9910f

    Download Submit

  • memory/628-76-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1200-111-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1248-4-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1248-38-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1248-0-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1248-3-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1248-2-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1480-69-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2100-90-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2244-83-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3200-55-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3248-62-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3336-117-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3624-135-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4036-43-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4036-47-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4036-45-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4036-44-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4144-127-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4516-144-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4932-97-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5068-103-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.