Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/12/2024, 02:39

General

  • Target

    f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe

  • Size

    125KB

  • MD5

    f1e7e1001aeb2e61073278dd03a57f69

  • SHA1

    f3c6a4b785974217c1a1af914b19a6cdb0d8c5ab

  • SHA256

    646c5fa222b322fee4fd877e378ed1f555bd3ce081e2b32c810a2025fc923a85

  • SHA512

    78a1bed0442ecd39f1b9ac252e2d70909b03206efe735597eb55c80d68d78cdeb474384fbb69defe83efff2d7211e4e596b103ed65c1bd0d51daa026c4ac30e6

  • SSDEEP

    3072:dQIeRTXJSceAbl+mHa+iNn8PhTjuiCWLm:dmUmp+mHXiNnssHKm

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • Sality family
  • UAC bypass 3 TTPs 3 IoCs
  • Windows security bypass 2 TTPs 18 IoCs
  • Disables RegEdit via registry modification 3 IoCs
  • Disables Task Manager via registry modification
  • Modifies Windows Firewall 2 TTPs 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 14 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 4 IoCs
  • Modifies registry class 55 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:760
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:768
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:64
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2716
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:2768
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:2964
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3500
                  • C:\Users\Admin\AppData\Local\Temp\f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe
                    "C:\Users\Admin\AppData\Local\Temp\f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe"
                    2⤵
                    • UAC bypass
                    • Windows security bypass
                    • Disables RegEdit via registry modification
                    • Windows security modification
                    • Checks whether UAC is enabled
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:2244
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh firewall set opmode disable
                      3⤵
                      • UAC bypass
                      • Windows security bypass
                      • Disables RegEdit via registry modification
                      • Modifies Windows Firewall
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:4008
                      • C:\Windows\System32\Conhost.exe
                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        4⤵
                          PID:4560
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh firewall set opmode disable
                          4⤵
                          • Modifies Windows Firewall
                          • Event Triggered Execution: Netsh Helper DLL
                          • System Location Discovery: System Language Discovery
                          PID:3536
                      • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
                        "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
                        3⤵
                        • UAC bypass
                        • Windows security bypass
                        • Disables RegEdit via registry modification
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:2364
                        • C:\Windows\SysWOW64\regsvr32.exe
                          regsvr32 /u /s "C:\Users\Admin\AppData\Local\Temp\7-zip.dll"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:1488
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh firewall set opmode disable
                          4⤵
                          • Modifies Windows Firewall
                          • Event Triggered Execution: Netsh Helper DLL
                          • System Location Discovery: System Language Discovery
                          PID:4052
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                    1⤵
                      PID:3668
                    • C:\Windows\system32\DllHost.exe
                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                      1⤵
                        PID:3832
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                          PID:3924
                        • C:\Windows\System32\RuntimeBroker.exe
                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                          1⤵
                            PID:3996
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                              PID:4076
                            • C:\Windows\System32\RuntimeBroker.exe
                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                              1⤵
                                PID:4108
                              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                                1⤵
                                  PID:2960
                                • C:\Windows\System32\RuntimeBroker.exe
                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                  1⤵
                                    PID:3732

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\0E577753_Rar\Au_.exe

                                    Filesize

                                    57KB

                                    MD5

                                    78e662d435a8e1f5b9ced236fd331856

                                    SHA1

                                    60a9caf60870d077a73720e9077092d4297fdccd

                                    SHA256

                                    f890411345438843d6fcba804d8c38dea1d43b9e327420752cc4a40eb4b49349

                                    SHA512

                                    7e4d9e57d404ceff70e93c83ab6ba2a876f485f6febff81f5046d84e87f5bfae8c18a75afb32e0360f17e03ced4fe7ab2a600b6db8fd53fbde7c88661684e0ad

                                  • C:\Users\Admin\AppData\Local\Temp\nsu7784.tmp\InstallOptions.dll

                                    Filesize

                                    14KB

                                    MD5

                                    325b008aec81e5aaa57096f05d4212b5

                                    SHA1

                                    27a2d89747a20305b6518438eff5b9f57f7df5c3

                                    SHA256

                                    c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

                                    SHA512

                                    18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

                                  • C:\Users\Admin\AppData\Local\Temp\nsu7784.tmp\ioSpecial.ini

                                    Filesize

                                    494B

                                    MD5

                                    80c50d8228fe5f1a7179ba04e5232be3

                                    SHA1

                                    9a8d44d6366ca2be37a7151949a3991cbc096c24

                                    SHA256

                                    0b3a87281380119ac37a1e59b26f33bdabc2731cc388ff97a8992500f0e50437

                                    SHA512

                                    127b57b7c027f82d87a6129fefe56237920ac398dc4bee013ead8303fbcf0da4b242dfe40cc9df7ba1c0b64dfaff7c255dd1fdfec1d11f2b6520346a67dc15d1

                                  • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

                                    Filesize

                                    125KB

                                    MD5

                                    f1e7e1001aeb2e61073278dd03a57f69

                                    SHA1

                                    f3c6a4b785974217c1a1af914b19a6cdb0d8c5ab

                                    SHA256

                                    646c5fa222b322fee4fd877e378ed1f555bd3ce081e2b32c810a2025fc923a85

                                    SHA512

                                    78a1bed0442ecd39f1b9ac252e2d70909b03206efe735597eb55c80d68d78cdeb474384fbb69defe83efff2d7211e4e596b103ed65c1bd0d51daa026c4ac30e6

                                  • C:\Windows\SYSTEM.INI

                                    Filesize

                                    258B

                                    MD5

                                    833e48eefdfadac4ded288e390c4f4ac

                                    SHA1

                                    63aa8ebe5b030235df94f548a5c96ea080b8bce1

                                    SHA256

                                    6e9590176e45e46d16f54d6f3df52736aae9fe1c7e97d98c2b6beb3b1abbf4cd

                                    SHA512

                                    81ffae5f6260db601fcd699c71c7311167475979119b4131a0dbcc17023b733bc2a840fe09046a3e33089e90edbbf4167b0954d36fcc0d0f3bf091fb0439eed4

                                  • memory/2244-15-0x0000000000610000-0x0000000000612000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/2244-9-0x0000000000610000-0x0000000000612000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/2244-26-0x00000000023B0000-0x00000000033E2000-memory.dmp

                                    Filesize

                                    16.2MB

                                  • memory/2244-36-0x0000000000400000-0x0000000000443000-memory.dmp

                                    Filesize

                                    268KB

                                  • memory/2244-1-0x00000000023B0000-0x00000000033E2000-memory.dmp

                                    Filesize

                                    16.2MB

                                  • memory/2244-14-0x0000000000610000-0x0000000000612000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/2244-6-0x00000000023B0000-0x00000000033E2000-memory.dmp

                                    Filesize

                                    16.2MB

                                  • memory/2244-0-0x0000000000400000-0x0000000000443000-memory.dmp

                                    Filesize

                                    268KB

                                  • memory/2244-4-0x00000000023B0000-0x00000000033E2000-memory.dmp

                                    Filesize

                                    16.2MB

                                  • memory/2244-10-0x00000000007D0000-0x00000000007D1000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/2364-145-0x0000000004BD0000-0x0000000005C02000-memory.dmp

                                    Filesize

                                    16.2MB

                                  • memory/2364-143-0x0000000004BD0000-0x0000000005C02000-memory.dmp

                                    Filesize

                                    16.2MB

                                  • memory/2364-144-0x0000000004BD0000-0x0000000005C02000-memory.dmp

                                    Filesize

                                    16.2MB

                                  • memory/2364-56-0x0000000003050000-0x0000000003052000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/2364-55-0x00000000031A0000-0x00000000031A1000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/2364-182-0x0000000000400000-0x0000000000443000-memory.dmp

                                    Filesize

                                    268KB

                                  • memory/2364-35-0x0000000000400000-0x0000000000443000-memory.dmp

                                    Filesize

                                    268KB

                                  • memory/3536-70-0x00000000028B0000-0x00000000028B2000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/3536-59-0x00000000028B0000-0x00000000028B2000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/3536-58-0x0000000002900000-0x0000000002901000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/4008-45-0x0000000002C20000-0x0000000003C52000-memory.dmp

                                    Filesize

                                    16.2MB

                                  • memory/4008-63-0x0000000002C20000-0x0000000003C52000-memory.dmp

                                    Filesize

                                    16.2MB

                                  • memory/4008-67-0x00000000005D0000-0x00000000005D2000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/4008-48-0x0000000002C20000-0x0000000003C52000-memory.dmp

                                    Filesize

                                    16.2MB

                                  • memory/4008-12-0x00000000005E0000-0x00000000005E1000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/4008-44-0x00000000005D0000-0x00000000005D2000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/4008-39-0x00000000005D0000-0x00000000005D2000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/4052-152-0x0000000000C90000-0x0000000000C91000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/4052-153-0x0000000000C80000-0x0000000000C82000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/4052-155-0x0000000000C80000-0x0000000000C82000-memory.dmp

                                    Filesize

                                    8KB