Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 15:12

General

  • Target

    e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    e2d18966d4665fb34cbbccad4c87e2cc

  • SHA1

    249e4de741f006cb0d755e37b587f8cf3d638745

  • SHA256

    b7736ffd44d69a16213a96e771fae8d39546a2240b788971edeefe145d382268

  • SHA512

    1138c643e40e8428ef177d169491b02e872c145887eb3d89a316c8e082bd0eee48cbce3b05e05b67650599790b6cc959a1f83b6fd174cb573141341e7b4aed2f

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Windows\SysWOW64\wdzafhirec.exe
      wdzafhirec.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\SysWOW64\guptyhlf.exe
        C:\Windows\system32\guptyhlf.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2380
    • C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe
      gwoyshgmbfuudpa.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2516
    • C:\Windows\SysWOW64\guptyhlf.exe
      guptyhlf.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2524
    • C:\Windows\SysWOW64\yrinmiokclrnd.exe
      yrinmiokclrnd.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2600
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1984

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      02f7b2a324ee06d3eec0a6f4c0a0dc20

      SHA1

      ab849f6a33b7f453282a176660960766f7d715b8

      SHA256

      eea7e965e20a5f7f7f4965a21915e07bdc19b70699fdd2599ccfa08755d2e330

      SHA512

      f110c746812bcc9e50bbbbd198dc34b8c447f89d4076660ff25eab70e8a91640c8d48152036ef87c8ec33a55c028bd3c93236489f371e5cce7054061ed46b40a

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      b72b95f6b53cc365eaf11d883361d95e

      SHA1

      501b1e95b04e24577936764645b22bac3de11888

      SHA256

      962f5607a82ef6f7b41a3c9bd253169f67c8b1d3337fe1e5e3a1958b6e90c94a

      SHA512

      1f9a0cc1db685fe061c73d8b7c7bb794f3335b43a59440190958464ce719ff874c3e53744321be256fdb75c3a9c90c0a8644a1131b5879da7dc09733ebbafd49

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      fe95b7fa3b95bc0f00ba276d0ba0ed36

      SHA1

      a99dd1a2557d7141b2f435f1850fec04a4adc478

      SHA256

      6deeb1ecd6f72202a48f858103442b1e9f7e0b874d35d612eef79d0b6b4d98b1

      SHA512

      4c7c26b247dd22cd184e7b9e731d087e0f3ad79797b0e1eec54b66b3118715b571002a5fc9b81539f1950990698f686ef39ab19a90fdc717c12b64552a1ad06e

    • C:\Users\Admin\Documents\RepairRename.doc.exe

      Filesize

      512KB

      MD5

      14be3be406211e62b07e71fdfcd5a14f

      SHA1

      e6fcf195edb39e44313a595ac63cdd049cf9f787

      SHA256

      ba2d18b447014f588aee71023f5d063e18c5d4a6e2b987ef0a376e3d0a624844

      SHA512

      498e82409125e39bd56c2f5109be9d5e2f29e9c8ca235ec9a623b111cfdf7da0a6df3a312de2d124901026f5c36daffab982183b95ee5460e11d53b4e753b5c6

    • C:\Windows\SysWOW64\guptyhlf.exe

      Filesize

      512KB

      MD5

      fc33f1da2086eb188d7bf8d2afad5b8e

      SHA1

      2db383b7092bd1f9f46093be59a1f9cc34f5a2ac

      SHA256

      b6dd17a048b6949cb1eab09072dc19e4c6fae6e6765f87ff93a304a1524f193f

      SHA512

      8963efc0ca5a9de9f8613fb22052a30e75a306e9179ab60f3c9a0de2d5308676e84a3a0f7dd00dda12ed3dad6c588d82a6d951a44989c973ac86d178ef2978f4

    • C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe

      Filesize

      512KB

      MD5

      307cc4cefebc047d37b6d4bec2c35449

      SHA1

      f1dda92c9d80fd493cca1b48e7144b98f76ead29

      SHA256

      7d3b4fe7a64a95588fc9f8302434ca3d93ed4d535889c3fd278ae9d21ed2006d

      SHA512

      3201e2ccd5879ac5b2c45d652d9fb69fe2fa9ae4679e4c6e8f8a78354af860c54da8a89464e364b9e9c4f42f7ec02270a5e01f1b3b90531a3b94b679bdfbe531

    • C:\Windows\SysWOW64\yrinmiokclrnd.exe

      Filesize

      512KB

      MD5

      6d469cb184053f14eb58fb3b283d73cb

      SHA1

      bc4f271249319ce4089139f4120c328440313db6

      SHA256

      0dcbe8a47928b912da5218108172ac3780c420e289f5f05102d60015d4fe1f6d

      SHA512

      98e9404ea5352d35d4ce4e88f133ae2044df2f3994e82fb3c3c7dde99772e09492089aa980ca0835d39410a8e267cca26ad2804f05a7b132e24794c38c9569db

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\wdzafhirec.exe

      Filesize

      512KB

      MD5

      433a9574d81060d584a539df6541c1e1

      SHA1

      cf71fe1d409fd96d322c0e0be442ed7f6f5373a2

      SHA256

      8b62a7d367e2aca0b17e91fd04eecf00e8bbbd37acfb62bab60fe7cfb7f60a35

      SHA512

      a0af7f67e39c6724b6108d89bf1c0fa41a20132b4c390bbe4e768ac7ab6e8af0b32570cadb4799ab6857f4d7eb161966a18b4af78379179d373167308c57cda2

    • memory/1400-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2500-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2500-47-0x0000000070FDD000-0x0000000070FE8000-memory.dmp

      Filesize

      44KB

    • memory/2500-42-0x000000002FDC1000-0x000000002FDC2000-memory.dmp

      Filesize

      4KB

    • memory/2500-78-0x0000000070FDD000-0x0000000070FE8000-memory.dmp

      Filesize

      44KB

    • memory/2500-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB