Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
31/12/2024, 03:28
General
-
Target
JaffaCakes118_029fde9403ed6a8445e674646c4104c0.exe
-
Size
231KB
-
MD5
029fde9403ed6a8445e674646c4104c0
-
SHA1
2a6a3c327b11d30e00dbef3370275cf4fc60586f
-
SHA256
c351b4878a034ce7d31673ceeab281922585b1b26a9f520c2cf69f5f900d87a0
-
SHA512
48141c1c4b25e2a49a5e3ab0b6ee00cc038233c99c38634adde5169b67e3f44d88247eb6b54a2fa7a5af7144b3045de40626fa5a92724381435aad4262dec95e
-
SSDEEP
6144:Z+2YqOYG9j0CUEI2hd5twlULasDns6uYozF5OwVkS6E:kJEWj5Fhd5sUesDns6BAee
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 7 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
UPX packed file 20 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
NSIS installer 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_029fde9403ed6a8445e674646c4104c0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_029fde9403ed6a8445e674646c4104c0.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
163KB
MD507599bc344a4c7bbcedc75a69334b187
SHA17ab3af63e151332c1804b7879f02938fec7ffb9f
SHA2563865670396bbc0576ef72eb26833dd02d6843a72a405c56bdb5b9baad1d948a3
SHA5120e51aa376d5cea54659b395495329fd8de8a84ad5483cffb7680e57edd4f9ca6db4728d76839fae878e212495a95d150c90dd3abbee25017d8eb6de9141b3ade
-
Filesize
100KB
MD50c2020b9cebdefe01d1ab1bf079ead52
SHA117bdbefce3f24c7b8817bb0499ef407f4bf0df2d
SHA25632fa6bae573848b5123734672039e808c9ce93e781f01e619b959c6c4e8fde72
SHA512fea74de5eca2d90fe6b35d3ad40ad2b7527448a5cd9f75eb2d549d4aa5e8cbb410a3d9a3b1f3a861689c5f45b949c87090f0349ad57f5918dd1b27e7b26b61fc
-
Filesize
9KB
MD50e4c4e4eb158e3f250ca9161156e74a5
SHA178d055856312c2b9f313877f7f72ca936554095a
SHA25660e6e287828dd882447a79018b505bb3be67b0f04fc8e022a57442e249588ed1
SHA512eba47ef4d16532df26f50e42bb5650733844ffc94b6f0e9037c2a2854326e9bcf1d6c967f541a655a91452c9357eb4ba1aedf85a2757a560ad4527a8f6b63ebc
-
Filesize
3KB
MD51923c3ce705616293c721d5dfc46b7a3
SHA1beec6bba81cc80e100243e6b26554e0c585f7734
SHA256921d31307a7e93270caa35093893b1799b055ffde2db3298fb9aa495ede7f9a2
SHA512b8d584db8fac7a8395e3e5e1fdf12c4d3e5d1bdd78ac00e7467b5c4d279c670834211076ada391b6f11fb833fc8b54f2b3b24d9ecd85727000b1c0138aac8b77
-
Filesize
164KB
MD59f392fdef8b0681254ad916cf0cf6961
SHA1ef903a0652696e5c0aad1b271916a1c212bdcee1
SHA2560e6a43834e7124c784f958756330dbdcba32bc397bc96fd8ce1672c8c173be27
SHA5125835042e78caea5ac25b2ce7c0490643c37890dd83424bf521ed67a97e2faaf95e2f8d9e7626b71f78c1d40e93dd61d3a175d149cf932042101d39fc09c2a77c
-
Filesize
231KB
MD5029fde9403ed6a8445e674646c4104c0
SHA12a6a3c327b11d30e00dbef3370275cf4fc60586f
SHA256c351b4878a034ce7d31673ceeab281922585b1b26a9f520c2cf69f5f900d87a0
SHA51248141c1c4b25e2a49a5e3ab0b6ee00cc038233c99c38634adde5169b67e3f44d88247eb6b54a2fa7a5af7144b3045de40626fa5a92724381435aad4262dec95e
-
Filesize
257B
MD5fccffe8f74b2f9b56da0362721feb725
SHA13aed87ba74c5c5437b0ff174a0f0394b58cc020b
SHA256e951cac02557c5e9febc16234bd0fc9f3d1f8bb93fcb4b49f374b42fc22ba572
SHA51246769b07ede15babf75e5711943df55204364d38b4e9587deede5ea5dc0227674471863cba8b086bc26b816988998a0e525780aa116413bd15c2b2f6255a4c0b
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
256KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
256KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
108KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
256KB
-
Filesize
16.6MB