Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3c35b3b6eac...18.exe
windows7-x64
7c35b3b6eac...18.exe
windows10-2004-x64
7$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3CI3.exe
windows7-x64
10CI3.exe
windows10-2004-x64
10GLWorker.exe
windows7-x64
10GLWorker.exe
windows10-2004-x64
10Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3bass.dll
windows7-x64
3bass.dll
windows10-2004-x64
3readme.htm
windows7-x64
3readme.htm
windows10-2004-x64
3Analysis
-
max time kernel
142s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/12/2024, 16:17
Static task
static1
Behavioral task
behavioral1
Sample
c35b3b6eaccc5e4912c1555080dc76cb_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c35b3b6eaccc5e4912c1555080dc76cb_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Dialer.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Dialer.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241023-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
CI3.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
CI3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
GLWorker.exe
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
GLWorker.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Uninstall.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
Uninstall.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20241023-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
bass.dll
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
bass.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
readme.htm
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
readme.htm
Resource
win10v2004-20241007-en
General
-
Target
CI3.exe
-
Size
2.4MB
-
MD5
7fc7d17fe99e96b403224b6d0363f6e8
-
SHA1
a892e59ccb3b95ad8e50ab8bcfa9925b92c219fe
-
SHA256
15c5e0826a4ec78ae00ccff64a3a63e365a6dfb2cd3efa87608e88ab45ec19cb
-
SHA512
9c3cfdbb3b93b61d9d38e65c9a1ab1da5bcbe6f428a6eebae53ea70fa1076c5996e9085a231cabe5c5cc1ca366880901f9c1f15a8cb8fcdc5f811f49323ffe8c
-
SSDEEP
49152:unEwQWnvUTHKW6NUUOnfPd5wydwdqWiK+l4/qB:unEAkKW6CUAfPSdZiK5/Q
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Banload family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CI3.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CI3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate CI3.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CI3.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\InprocServer32 CI3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\InprocServer32\ThreadingModel = "Apartment" CI3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\ProgID CI3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\ProgID\ = "Microsoft.PhotoAcqDeviceSelectionDlg.1" CI3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\TypeLib CI3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\Version CI3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B} CI3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\ = "PhotoAcqDeviceSelectionDlg" CI3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\VersionIndependentProgID\ = "Microsoft.PhotoAcqDeviceSelectionDlg" CI3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\Version\ = "1.0" CI3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\VersionIndependentProgID CI3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\InprocServer32\ = "%ProgramFiles(x86)%\\Windows Photo Viewer\\PhotoAcq.dll" CI3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\TypeLib\ = "{00f25ae8-3625-4e34-92d4-f0918cf010ee}" CI3.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1636 CI3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1636 CI3.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 1636 CI3.exe Token: SeIncBasePriorityPrivilege 1636 CI3.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1636 CI3.exe 1636 CI3.exe 1636 CI3.exe 1636 CI3.exe 1636 CI3.exe 1636 CI3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CI3.exe"C:\Users\Admin\AppData\Local\Temp\CI3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
871B
MD5888ef788e9638027cdb6eeb0332067d8
SHA141b6955f86dd527ab09ec481281e43247b9e52c6
SHA2560d2888b864984e6f414451f7fdeb3c287d4584e8b1cdf62d4ca823c283f65eca
SHA5122b1d9b9c2e5831cd6d16dae7c4c8ea763984bb63d9573fe2bd71f9ad5d54e510be88a4de976d8890c26a8282c6af794a1b3e9bc0af0fedcd9f89d7e1e3c91371
-
Filesize
208B
MD537ea83fa6e0a1fa5621a6c2e953549df
SHA1874b3e119a5b4a1d03d9968e47677971f12365e2
SHA2569e19236238816fc9f1f07b4de924a1487910720311eb714c4b67a41881aba735
SHA51293046260daf53c79e11eff5677fcee4ba33ea3f4f28209172829c7337ae5524b3678f40409fbdb0f6129060829d302ab665ba1ac7d3b26050f4c0ccde514a45f
-
Filesize
789B
MD526be4faf384b28cd3c4f137ca1b3fba1
SHA1c006bb214d16cd4fd041a71a9b4c8be0bce91ed1
SHA25610e140f4b5a1fcb3411ab1c30c91611c9a89e0bc41c5c1118e7dd666e3bba798
SHA512cc5fb447c210632d4119fefc5e4fbbebe6327fa79fdbcb56e9f002b4410e8b2ece7432a7637690f046fdbf3653840f2d6c1545872bc8c0f532993cdbe5bece8d
-
Filesize
841B
MD57578973bd9ff088c211d5014b730a16c
SHA1d9ba76c07fdf1f6452ea86b3a748d65e4bccb21a
SHA256c7ec425954cffb9fa8bd71861b67eb051a662ce4d504a64683499c4f9d99874c
SHA5120300874244c7defac70d09208daebdd0bf0c24eda6ce29e581a38d0caa0dc0a8006d06cd51f6e69b40d845672dc34bd5d4d30911a3e08daabc12ae0987963f06