Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ea63eb3e1d...18.exe

windows7-x64

10

ea63eb3e1d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    13/12/2024, 06:43 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea63eb3e1ddf625209a1056511aec0d4_JaffaCakes118.exe

  • Size

    100KB

  • MD5

    ea63eb3e1ddf625209a1056511aec0d4

  • SHA1

    0d8f505c9c743d395cd98ade9baffe5ed7e13137

  • SHA256

    c0dcf983d3136527bc4bcf0bfeb4a04008aa6028ce92b4138420f1686ed210b3

  • SHA512

    c90ffb60ac2ce45c525f54b68b8a4fc3a837f7a97c52c3392b323b59bd69a63321de5eef25b4845b786d6beb34c6e20ed412025da4d50465f5b2bf17efff9880

  • SSDEEP

    3072:NrMU9pwBtJqgOTpNXt6SkzJ0Bpw/K1Zbtw:xTYJYkSkzJ0A/P

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1100
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1160
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1188
          • C:\Users\Admin\AppData\Local\Temp\ea63eb3e1ddf625209a1056511aec0d4_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\ea63eb3e1ddf625209a1056511aec0d4_JaffaCakes118.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Windows security modification
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1700
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1028

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Replication Through Removable Media

          1
          T1091

          Execution

          Persistence

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          4
          T1562

          Disable or Modify System Firewall

          1
          T1562.004

          Disable or Modify Tools

          3
          T1562.001

          Modify Registry

          5
          T1112

          Credential Access

          Discovery

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          1
          T1012

          System Information Discovery

          3
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Replication Through Removable Media

          1
          T1091

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • F:\vbeibx.pif
            Filesize

            100KB

            MD5

            be108d9c46bbce4541d99e9525a2e3ae

            SHA1

            0fa6d29ce230068425dcb9a3a415c194cf8367fe

            SHA256

            77825e9ae4774d3777fed4330fcd52c4f2513d1b0234f489394fc7233778bbe4

            SHA512

            9afa4f14168d5a7e096799faae8d48a6f36d9dd4d98730d3fd3efbe53c2ab93f1055e7064cdff81ea706875c0ceb32242621fa147f0a1a074a34a58bc12a5dc0

            Download Submit

          • memory/1100-9-0x0000000000220000-0x0000000000222000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1700-30-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-27-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-8-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-4-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-3-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-20-0x0000000003E20000-0x0000000003E21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1700-18-0x0000000003E20000-0x0000000003E21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1700-17-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1700-5-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-7-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-23-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-24-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1700-25-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1700-22-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-21-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-26-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-29-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-28-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-6-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-0-0x0000000000400000-0x0000000000415000-memory.dmp

            Filesize

            84KB

            Download

          • memory/1700-36-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-33-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-34-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-32-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-38-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1700-40-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-53-0x00000000003F0000-0x00000000003F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1700-52-0x0000000003480000-0x0000000003481000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1700-54-0x00000000003F0000-0x00000000003F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1700-55-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-56-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-58-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-61-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-64-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-65-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-66-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-69-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-1-0x0000000001E00000-0x0000000002E8E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1700-146-0x0000000000400000-0x0000000000415000-memory.dmp

            Filesize

            84KB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.