Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d353337783...18.exe

windows7-x64

10

d353337783...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/12/2024, 19:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3533377832375322ddbbb74cc5345ba_JaffaCakes118.exe

  • Size

    238KB

  • MD5

    d3533377832375322ddbbb74cc5345ba

  • SHA1

    cdcda6610099c7293313aea7c81ed2076cc1488d

  • SHA256

    739ed36031b3c40e9aecd31fe81d20e95875720a74b4ed6a0f4b168a29438357

  • SHA512

    e765279be0b81a673147b6528bf1a4162e7a83cb3771611151428aa6a26658b7881a38a532047c498704f48b09558bb8f64fb3b0aed54e40de4ff69a8ef30faa

  • SSDEEP

    6144:zC3MpH6kDw0RNHxHSK8GfvI9Ns6heKn89dSIc:e3MpaGw0XHJ8GYcWeKnUc

Score
10/10
metasploitbackdoordiscoveryevasionpersistencetrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Modifies firewall policy service 3 TTPs 8 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3408
      • C:\Users\Admin\AppData\Local\Temp\d3533377832375322ddbbb74cc5345ba_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\d3533377832375322ddbbb74cc5345ba_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4052
        • C:\Users\Admin\AppData\Local\Temp\d3533377832375322ddbbb74cc5345ba_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\d3533377832375322ddbbb74cc5345ba_JaffaCakes118.exe"
          3⤵
          • Checks computer location settings
          • Maps connected drives based on registry
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2184
          • C:\Windows\SysWOW64\igfxbh86.exe
            "C:\Windows\SysWOW64\igfxbh86.exe" C:\Users\Admin\AppData\Local\Temp\D35333~1.EXE
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3892
            • C:\Windows\SysWOW64\igfxbh86.exe
              "C:\Windows\SysWOW64\igfxbh86.exe" C:\Users\Admin\AppData\Local\Temp\D35333~1.EXE
              5⤵
              • Modifies firewall policy service
              • Deletes itself
              • Executes dropped EXE
              • Adds Run key to start application
              • Maps connected drives based on registry
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:736

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      83.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      83.210.23.2.in-addr.arpa
      IN PTR
      Response
      83.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-83deploystaticakamaitechnologiescom
    • flag-us
      DNS
      75.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      75.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      xe-0-7-0.level4-co2-as30938.su
      igfxbh86.exe
      Remote address:
      8.8.8.8:53
      Request
      xe-0-7-0.level4-co2-as30938.su
      IN A
      Response
    • flag-us
      DNS
      56.163.245.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.163.245.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      134.130.81.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      134.130.81.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      22.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.236.111.52.in-addr.arpa
      IN PTR
      Response
    • 66.128.53.179:80
      igfxbh86.exe
      260 B
       5
    • 195.137.213.67:80
      igfxbh86.exe
      260 B
       5
    • 204.11.237.50:80
      igfxbh86.exe
      260 B
       5
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      83.210.23.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      83.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      75.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      75.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      xe-0-7-0.level4-co2-as30938.su
      dns
      igfxbh86.exe
      76 B
       137 B
       1
      1

      DNS Request

      xe-0-7-0.level4-co2-as30938.su

    • 8.8.8.8:53
      56.163.245.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      56.163.245.4.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      134.130.81.91.in-addr.arpa
      dns
      72 B
       147 B
       1
      1

      DNS Request

      134.130.81.91.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      22.236.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      22.236.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\igfxbh86.exe
      Filesize

      238KB

      MD5

      d3533377832375322ddbbb74cc5345ba

      SHA1

      cdcda6610099c7293313aea7c81ed2076cc1488d

      SHA256

      739ed36031b3c40e9aecd31fe81d20e95875720a74b4ed6a0f4b168a29438357

      SHA512

      e765279be0b81a673147b6528bf1a4162e7a83cb3771611151428aa6a26658b7881a38a532047c498704f48b09558bb8f64fb3b0aed54e40de4ff69a8ef30faa

      Download Submit

    • memory/736-44-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/736-47-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/736-48-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2184-0-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2184-2-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2184-3-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2184-4-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2184-43-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2184-45-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2184-46-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.