Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

JaffaCakes...31.exe

windows7-x64

3

JaffaCakes...31.exe

windows10-2004-x64

3

$PLUGINSDI...sh.dll

windows7-x64

3

$PLUGINSDI...sh.dll

windows10-2004-x64

3

$PLUGINSDI...ar.exe

windows7-x64

7

$PLUGINSDI...ar.exe

windows10-2004-x64

3

$PROGRAM_F...er.exe

windows7-x64

3

$PROGRAM_F...er.exe

windows10-2004-x64

3

$PROGRAM_F...ar.dll

windows7-x64

7

$PROGRAM_F...ar.dll

windows10-2004-x64

7

$PROGRAM_F...rX.dll

windows7-x64

7

$PROGRAM_F...rX.dll

windows10-2004-x64

7

$PROGRAM_F...er.exe

windows7-x64

3

$PROGRAM_F...er.exe

windows10-2004-x64

3

$PROGRAM_F...rc.dll

windows7-x64

3

$PROGRAM_F...rc.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...pt.exe

windows7-x64

7

$PLUGINSDI...pt.exe

windows10-2004-x64

7

$PLUGINSDI...an.exe

windows7-x64

7

$PLUGINSDI...an.exe

windows10-2004-x64

7

$PLUGINSDI...an.exe

windows7-x64

7

$PLUGINSDI...an.exe

windows10-2004-x64

7

$PLUGINSDI...st.exe

windows7-x64

7

$PLUGINSDI...st.exe

windows10-2004-x64

3

$PLUGINSDIR/v9fft.exe

windows7-x64

10

$PLUGINSDIR/v9fft.exe

windows10-2004-x64

10

$TEMP/AskPIP_FF_.exe

windows7-x64

3

$TEMP/AskPIP_FF_.exe

windows10-2004-x64

3

$TEMP/AskT...IC.dll

windows7-x64

8

$TEMP/AskT...IC.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21/02/2025, 20:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/hao123inst-japan.exe

  • Size

    776KB

  • MD5

    35216cfcfcdfd7c2df84804ed69fdcfd

  • SHA1

    34d77a23aa7c7648948e4bfab31f33f517a785dc

  • SHA256

    a2157e3cf367d84dac8847bf2f20d32e1a420ddf297d879fa06113e08f9fc6dd

  • SHA512

    385d4b10c29c35b0b933f3dcf02e269e784f01e4836e6e1c9d60536cc7c30afb15bf5a70cfeaa4f2d1ec02e12c174d21c4924a02fabf3774f6f9834ca913a2c8

  • SSDEEP

    24576:f1Du4E0/zuFrHQR0pFGFbPEZB4gbZTkz74gbZg:dDFzuEDEZB4gbZY34gbZg

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\hao123inst-japan.exe
        "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\hao123inst-japan.exe"
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2100
        • C:\Users\Admin\AppData\Roaming\baidu\hao123-jp\hao123.1.0.0.1100.exe
          first_exec_from_inst
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3052

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\hao123.lnk
      Filesize

      944B

      MD5

      cbe586c55fe6aa6ca030a1bdbba112a5

      SHA1

      86eef1be626d2036fc570b4aa8fa8adcc529c499

      SHA256

      f08d0a7e7dec31f5d0e9dd99ae4c1f721d382610a5d6b6d5bdb39bca5a82c0ec

      SHA512

      2cd5061906ca6577cc15ecced3944cb6da55d0eff542a42afe66d3e83277651e20e009ac9eea9befc4e082ea10ea60302c3cc4400f5200e97090dc440a06d438

      Download Submit

    • C:\Users\Admin\AppData\Roaming\baidu\hao123-jp\hao123.1.0.0.1100.exe
      Filesize

      532KB

      MD5

      24084b3b7c98ee06e90b381511e93749

      SHA1

      f8633cd3058205acfcc4473944b660f76874a11c

      SHA256

      8ae85201b89c0f65c17dab19e78a4610ade2947899d46fded6513fa3a2b45b11

      SHA512

      078f3be10735cd8818ec4babe4050224aae99d5f19cd8329cb29a40fcae86c4184502e559c763490fc93931b101efb40a053b4e9efba66138208520dd75eb709

      Download Submit

    • C:\Users\Admin\Desktop\hao123.lnk
      Filesize

      1002B

      MD5

      82716c0eee10f79367349adc5e4a3e5d

      SHA1

      141e08d7073284ea7e51a2ac4a920797cba7ca25

      SHA256

      709497d5e35b45c1efa021688e25a9f230829094187a16f46b94e4246e030e94

      SHA512

      078ca78464e6a71fd0f7e002fae7c1efa4f189985a84e716fd131b619b8f117d00e5f99f755842fd0d4f039bf1b2f9344becdfe72231c3efa2de385197191da5

      Download Submit

    • memory/1196-60-0x00000000021D0000-0x00000000021D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3052-57-0x000000006FFF0000-0x0000000070000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3052-59-0x0000000001EC0000-0x0000000001EC2000-memory.dmp

      Filesize

      8KB

      Download