Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 23:05

General

  • Target

    ec2ed9620b6f520171a4a6ee58ea232d_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    ec2ed9620b6f520171a4a6ee58ea232d

  • SHA1

    57b2cb2e575c98420e21a0420bca49ab965a2166

  • SHA256

    9509d63662ca6296e6a5698168ee8f86c94b53f3ca2999e79c84bb26697f45ec

  • SHA512

    b707fdf0afe062ab01bedf24660ce5d982fba9d531e2effed3c590d7fdedab4738eb4cf2c9d17c96294821373b1884a5398914a7366c06568f3235f1ce1c25c3

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6p:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm58

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec2ed9620b6f520171a4a6ee58ea232d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ec2ed9620b6f520171a4a6ee58ea232d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\SysWOW64\dohyrvfizl.exe
      dohyrvfizl.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\SysWOW64\hifkoqed.exe
        C:\Windows\system32\hifkoqed.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2664
    • C:\Windows\SysWOW64\mhwdldlotoliqmh.exe
      mhwdldlotoliqmh.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2516
    • C:\Windows\SysWOW64\hifkoqed.exe
      hifkoqed.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2812
    • C:\Windows\SysWOW64\cgrpwfyljnsqt.exe
      cgrpwfyljnsqt.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2692
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2492
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    57bfc2079d9a418939879aabe6b09852

    SHA1

    e98f823c581eca214c7093cbd1d7493ada7cf53d

    SHA256

    5536d58c3984e7a2328e31e4cba0284f3b85b33ee8035d1f0f17cf69f2a5f2d8

    SHA512

    85425836985e927796617a26396995c5ef3b8f7c5f9f0f74e4617bd15f2c87489442f43880138ee7526a88f25fc48297efced70fba0b6b7d35464da1fce5ff29

  • C:\Windows\SysWOW64\cgrpwfyljnsqt.exe

    Filesize

    512KB

    MD5

    7a73212ebda69bab73e6ca09d2962566

    SHA1

    c21a0f797df73266bfc49fe8bb12baefa4001356

    SHA256

    52d08880fc94633bfa9eebe94a70bf0735e7ea825021b8d0d8c07605ca91f860

    SHA512

    bfed1b37a6beb41585560acc79f16efc42ca267e4b5c85f65ebfbb4e8212923f283dc359f8766c67726db8b75c512f639492a0f4100455e8b8225ade51940762

  • C:\Windows\SysWOW64\mhwdldlotoliqmh.exe

    Filesize

    512KB

    MD5

    b69b0e6c77ec16aa715913c767467bb9

    SHA1

    d40c95513a35c21343dc80b862a54fb259d03092

    SHA256

    d7cba6dc9d6082de444f915297fd77f3245cf5e230e0f0f514a47aec508667e4

    SHA512

    de365f762f47e459ef124b836adc5a9d2e1978ee705a730c7ee60c32984e203c510f8455c08f8f2b2280715623ed4ce24da2ea90092ed322a70ae79c6f250636

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \Windows\SysWOW64\dohyrvfizl.exe

    Filesize

    512KB

    MD5

    83fd757dd18ac498aae3c7f8b211b297

    SHA1

    b8152fe51f75a5d65fe8e09b776907677bfc7124

    SHA256

    e8e18380a1ea9b5905c6ac682391eb0503fbb628159ddb1d523682976513a160

    SHA512

    e0be5b349d65006911c2d82f32027be0fef622aa55f31bbddfe6b2ea25b8655e84aaf26f8bcaa7316b09c9afe5c2468b198599f5f3113fd2d42d63ab24fc818b

  • \Windows\SysWOW64\hifkoqed.exe

    Filesize

    512KB

    MD5

    416a5977c1421b33aada8ce0788dc56c

    SHA1

    2e7e9e067068262cb1d78b31b0059388ee389b92

    SHA256

    21696dfb95029492f3cc2cc0b8de730edff5f676bb071f2ae68ed219aafec819

    SHA512

    e8f473881d75ae17a385cba7f37dc9d8b9da3f0c7109ac3e5ce9b1e0b3b5f33bf989abff2a5ab747f39861b253091438972d04f91b311d893fe6d2b2656f997d

  • memory/2096-79-0x0000000004360000-0x0000000004361000-memory.dmp

    Filesize

    4KB

  • memory/2096-82-0x0000000004360000-0x0000000004361000-memory.dmp

    Filesize

    4KB

  • memory/2096-87-0x0000000003BE0000-0x0000000003BF0000-memory.dmp

    Filesize

    64KB

  • memory/2220-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2492-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2492-47-0x00000000714FD000-0x0000000071508000-memory.dmp

    Filesize

    44KB

  • memory/2492-45-0x000000002F5F1000-0x000000002F5F2000-memory.dmp

    Filesize

    4KB

  • memory/2492-80-0x00000000714FD000-0x0000000071508000-memory.dmp

    Filesize

    44KB