Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    153s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2024, 23:05

General

  • Target

    ec2ed9620b6f520171a4a6ee58ea232d_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    ec2ed9620b6f520171a4a6ee58ea232d

  • SHA1

    57b2cb2e575c98420e21a0420bca49ab965a2166

  • SHA256

    9509d63662ca6296e6a5698168ee8f86c94b53f3ca2999e79c84bb26697f45ec

  • SHA512

    b707fdf0afe062ab01bedf24660ce5d982fba9d531e2effed3c590d7fdedab4738eb4cf2c9d17c96294821373b1884a5398914a7366c06568f3235f1ce1c25c3

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6p:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm58

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec2ed9620b6f520171a4a6ee58ea232d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ec2ed9620b6f520171a4a6ee58ea232d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3216
    • C:\Windows\SysWOW64\dzukcfsxzt.exe
      dzukcfsxzt.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3880
      • C:\Windows\SysWOW64\ulirlnsd.exe
        C:\Windows\system32\ulirlnsd.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4468
    • C:\Windows\SysWOW64\rknamctnjdnflzg.exe
      rknamctnjdnflzg.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4908
    • C:\Windows\SysWOW64\ulirlnsd.exe
      ulirlnsd.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2724
    • C:\Windows\SysWOW64\dqzwanoojsrkf.exe
      dqzwanoojsrkf.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3404
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:5060
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2628 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4316

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      4b58379a15c933c22203345011a4b268

      SHA1

      45bf90217f8adb22e240f4b9d00915dc6fa94ad5

      SHA256

      eb0d8f526f8a2880eb726cabb987f456edf4e98f74c3f7fa4a98794986f4df2e

      SHA512

      9723ea285402504fb98c260b2d148d1a0cb714c1a0a1364c44537eea2c5b7d5ea2d7dd88f37498d7b52885df967487fa036cdee93440f14f26ff563e38bc780f

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      239B

      MD5

      12b138a5a40ffb88d1850866bf2959cd

      SHA1

      57001ba2de61329118440de3e9f8a81074cb28a2

      SHA256

      9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

      SHA512

      9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

      Filesize

      3KB

      MD5

      bdcc050b285cafae01236bde231db043

      SHA1

      14ec9b834bd1e986abbce316d0e333a30b119962

      SHA256

      641d0530c6e39b2d6e0182581ce1dcb1503d72a5f9874133122cd2b3daa865da

      SHA512

      90b15dc32814896f6ec25f9ca989063e649af1bb541064651beffcff9a4372bc5747af4e08ca14c4184e5f12f765133d34258b20ae90d8356ad698a896b60766

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

      Filesize

      3KB

      MD5

      9fe96580513c0b93b850d062a2c98d28

      SHA1

      1a6b88a7e0b5cae8f869c0dbb4a49841589cd953

      SHA256

      e2f59ea1bc706c31a349fa21b5bee578c185491416f43b2775c84d5f80161824

      SHA512

      8c7999176ba143166b99af3b26e24fa51bbe3b8b916a1922623c61539d165b3f0f51c4c978973e3f19060097c98514da88241dd292cd7348572abe7d47c9a9c5

    • C:\Windows\SysWOW64\dqzwanoojsrkf.exe

      Filesize

      512KB

      MD5

      60848bb94da17a954c363a13ba068479

      SHA1

      43830b425c32a04cbf47b0d4d4b7163e6484991a

      SHA256

      2d92b37528000491a4c177291639c7aa024ae66a45bc8646d4aa1b94c7898029

      SHA512

      f9eb0996ef70207e71d0610cb3f4fa3ef9bd8dd7f7f32947ccab141927b772b69d053e345666604f26ffcae5b61e3a32824f5485ab4798a6d779377b89a0aebf

    • C:\Windows\SysWOW64\dzukcfsxzt.exe

      Filesize

      512KB

      MD5

      f7630acc4230199172827265374f9b49

      SHA1

      dc23c58fb4a0ba7d1dea4d0e631fbc9079b1283c

      SHA256

      d1f8b75d40e3055d5ca750f177120a75be7369e1d395c533afaa5f04b65f950b

      SHA512

      2fd69b8e6c0d2d099653d391e25eaa097b245607090a67e2df4d4ec55abf8ce2053e467f3bc6d6378a44b615d837700205ae1e58b2d0a820af01bb76d1bcfcc0

    • C:\Windows\SysWOW64\rknamctnjdnflzg.exe

      Filesize

      512KB

      MD5

      c63d958d7a55cf448386c20caa45567e

      SHA1

      3be70ca92d090112c7a559aed12ccaa2733154b4

      SHA256

      1a9febbf78c7e465c246939876dcb70e5238d4349466452e5c93954f042f477b

      SHA512

      3022f6864347d8bfcd288edd67e248aa294e3c56bfb1967e74851d0488be0f60ff14d3c859bda5c5ad07fcdb97980958c109dac5adaf0b43ce04ab6829757674

    • C:\Windows\SysWOW64\ulirlnsd.exe

      Filesize

      512KB

      MD5

      0988ed51cef14502dd95c5ba6d4bab38

      SHA1

      4b2b86d6b78e749f5123b8c6eb9aacd1cd733d5c

      SHA256

      46876c4361c44f7763c9430f759fee58d58d072577da8f4879cb953108a3b0fc

      SHA512

      c8082c5e60f28e7dcbc960bfa07e639444191ee54f30355dee46fca8b48ec3984872e160ed41bc2cf84bc12723867d853bbc52fdbca0b679ced31e80bf6b5e8c

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

      Filesize

      512KB

      MD5

      443cc206e171af6de8519ea5958aa7c9

      SHA1

      c5f08e4d45c24997bf72a1cee85cb61d00f5f7e2

      SHA256

      2f204e321e3bb087f4eb5ba5309bcf63d94f1249e6ce7ae7aeffc13d357187fd

      SHA512

      5c3869cd329d8a3b8604a848a2c4c4f30837fbeb921d4e78ea4786cd57649b21916832ae5a850ef6c7a7c7ab0118ff9932c136043b4b4e8a6f615d38da906713

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

      Filesize

      512KB

      MD5

      9bd73f5ef4c2bd518932234a9ce877ce

      SHA1

      a7252bdc0898302da37a59054612c561c823ad4f

      SHA256

      30e505979e92a4349b582b8c3ac27ad9ef3c43504ee04bfbd4b29caca5b89646

      SHA512

      52473829d5e74d49fc266ba066790ff0d128d731c6d603803d2cd346c14eccce6b474c66ea33629caf8029b028fe86ebe146f078db2fcf5da7be52845bf413a2

    • memory/3216-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/5060-43-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

      Filesize

      64KB

    • memory/5060-85-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

      Filesize

      2.0MB

    • memory/5060-47-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

      Filesize

      2.0MB

    • memory/5060-46-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

      Filesize

      64KB

    • memory/5060-48-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

      Filesize

      2.0MB

    • memory/5060-49-0x00007FFEB3C20000-0x00007FFEB3C30000-memory.dmp

      Filesize

      64KB

    • memory/5060-50-0x00007FFEB3C20000-0x00007FFEB3C30000-memory.dmp

      Filesize

      64KB

    • memory/5060-45-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

      Filesize

      2.0MB

    • memory/5060-40-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

      Filesize

      2.0MB

    • memory/5060-44-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

      Filesize

      2.0MB

    • memory/5060-82-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

      Filesize

      2.0MB

    • memory/5060-83-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

      Filesize

      2.0MB

    • memory/5060-84-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

      Filesize

      2.0MB

    • memory/5060-39-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

      Filesize

      64KB

    • memory/5060-41-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

      Filesize

      64KB

    • memory/5060-42-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

      Filesize

      2.0MB

    • memory/5060-37-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

      Filesize

      64KB

    • memory/5060-38-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

      Filesize

      2.0MB

    • memory/5060-130-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

      Filesize

      64KB

    • memory/5060-131-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

      Filesize

      64KB

    • memory/5060-132-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

      Filesize

      64KB

    • memory/5060-133-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

      Filesize

      64KB

    • memory/5060-135-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

      Filesize

      2.0MB

    • memory/5060-134-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

      Filesize

      2.0MB

    • memory/5060-136-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

      Filesize

      2.0MB