Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
29/04/2024, 09:20
General
-
Target
07537a8f7e1a4207eb82c253fe296a8f_JaffaCakes118.exe
-
Size
5.5MB
-
MD5
07537a8f7e1a4207eb82c253fe296a8f
-
SHA1
85d2beb1cd30e8342eabacb82bcdaa9f01018857
-
SHA256
b30e0fbf03f4bc7481aae8d625a127105c8a601096408f99ed62878a9579425e
-
SHA512
c29529f41f382b66a77952949795bb0bb48127070db97436cf1efa3538a257a0e562824177665aa570c5d11adf17ab7cc5d66f0c9aca76d8b85d82a8fb7d269a
-
SSDEEP
98304:XfN28AUgZFJiJaOht/IIn3qWw7spWOpJoCt6XEki7/A5DDyb3dQLBDlhaHkwEA5L:vA7UgZFJiJJ/IIn1YOICtENJ5D2ZoBO7
Malware Config
Extracted
azorult
http://163.172.175.132/1A6B3831-A96D-4936-815A-6F7C904EF9C0/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
KPOT
KPOT is an information stealer that steals user data and account credentials.
-
KPOT Core Executable 1 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 3 IoCs
-
Modifies system executable filetype association 2 TTPs 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 57 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 14 IoCs
-
Modifies registry class 32 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 17 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\07537a8f7e1a4207eb82c253fe296a8f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\07537a8f7e1a4207eb82c253fe296a8f_JaffaCakes118.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start "" "C:\Users\Admin\AppData\Local\Temp\Setup1829.exe" /verysilent2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Setup1829.exe"C:\Users\Admin\AppData\Local\Temp\Setup1829.exe" /verysilent3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Crystall Idea\Uninstall Tool\1.exe"C:\Program Files (x86)\Crystall Idea\Uninstall Tool\1.exe" /silent4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-HP6B8.tmp\1.tmp"C:\Users\Admin\AppData\Local\Temp\is-HP6B8.tmp\1.tmp" /SL5="$30200,3102762,185856,C:\Program Files (x86)\Crystall Idea\Uninstall Tool\1.exe" /silent5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Uninstall Tool\utshellext.dll"6⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Uninstall Tool\utshellext_x86.dll"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Program Files\Uninstall Tool\utshellext_x86.dll"7⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies registry class
-
-
-
C:\Program Files\Uninstall Tool\UninstallTool.exe"C:\Program Files\Uninstall Tool\UninstallTool.exe" /install_service_silent6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32.exe setupapi.dll, InstallHinfSection DefaultInstall 132 .\CisUtMonitor.inf7⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r8⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o9⤵
-
-
-
-
-
C:\Program Files\Uninstall Tool\UninstallTool.exe"C:\Program Files\Uninstall Tool\UninstallTool.exe" /init6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Uninstall Tool\UninstallTool.exe"C:\Program Files\Uninstall Tool\UninstallTool.exe" /add_control_panel_icon6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Uninstall Tool\UninstallTool.exe"C:\Program Files\Uninstall Tool\UninstallTool.exe" /pin_to_taskbar6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Uninstall Tool\UninstallToolExec.exe"C:\Program Files\Uninstall Tool\UninstallToolExec.exe"6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Uninstall Tool\UninstallTool.exe"C:\Program Files\Uninstall Tool\UninstallTool.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Uninstall Tool\UninstallToolHelper.exeUninstallToolHelper.exe8⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start "" "C:\Users\Admin\AppData\Local\Temp\File001.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\File001.exe"C:\Users\Admin\AppData\Local\Temp\File001.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start "" "C:\Users\Admin\AppData\Local\Temp\File002.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\File002.exe"C:\Users\Admin\AppData\Local\Temp\File002.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 16124⤵
- Program crash
-
-
-
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4812 -ip 48121⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5ce7f6aef1b27d41e7365700e74afc969
SHA1eca24811ab520c1b3fc7dc07179311dc76ea8be8
SHA256d03ae146525b6a0b43f9cc94cac672d65f91a57b9898e1093932561b22fdb50e
SHA512e65b5871c1e711b3e3f866cb7c91fb62bde24bc6b1a1c1b5cf4a32cfd577a86b4615f44fb2bb629bca92b6e87deaa8fa6d8f0b00ad1677e3e75a3bb6dd7c6bc1
-
Filesize
3.5MB
MD5cc54a313a8e23a64e501056c6ba25bc7
SHA183a34de9ce945da1c8d582b322047a0ce9db1a4d
SHA2561242f58b0f3825ca07e262e9c37e32731bf687374642870550bdbfb092e3bb97
SHA51272092129f64a790a7a608fdb350ab6b635150ee4b4e76b694d1a2d354d505532b24b1d40b45aa9880d0d30ced7b2c3bcc9b8e779f836c13a77ed99a0da3cb3d0
-
Filesize
97KB
MD59607e8cc411112371a34e7701a80b230
SHA1e471940c6d0ab75ed87f41e1ebeafde459fe60b4
SHA256da0d9e96f00c804e968ad99e683dcfb5a9e9703fda1291f09a9db2918c2be567
SHA512d812fb36ed2df7be9e5b152a53205c5bb35979300097399b0be6f334a2cb64f62d53027cf30424eda26d0b1678ff772a792fb607b8523ce4c9098fb497d8ed2f
-
Filesize
2KB
MD5ab33006d71573c73ea639a4d90923bf7
SHA13fb74cc71b41ca0c2abec7008e88737fef9ad66c
SHA256416ca112938536cdc8191eea469479398e6ce01ec25a4830991d93142a46422f
SHA51235df4cad9d9cfecc1e649b25daa052141d530dfafc57607fc806e3b7267fb802529867bbf5c508b14f82ac320a472d883b7e62fef081dfe865d7a1c61c77cc32
-
Filesize
4.6MB
MD507acf83bda719741025b34a0671fc754
SHA1426e6e512fb52290f49bd606a05bf12abb05e7ba
SHA25661d9f616d3c1f22df0e7668e181b1c7910ea48a51b57519837dd5cadebc1cf04
SHA512f27f17ccb2c486310fa1ee33115d349fa7a7708b5be216366a9ecc031d6d1a84073604446624568230fbcd4792beb6112f4b9f960213b517d5ba22a9ec26366a
-
Filesize
218KB
MD5ccda58e3bcd4da4fe22d5e80c3cfb27f
SHA171c23b3b6bc611d0030dde422d98e4a3659a4319
SHA256f52683e6b16634a5ed2f5e99ec1d6e1f1d585e7f3feae88a47b200fea70375a7
SHA51252a1bb1dbf2e50c66cca1aa81583daa0e1e55b42f6940334c5ed524e65d71bd3c49742f9664dd436772f3fc37406b800cb9284ab55b03814d61b5003a62f11ca
-
Filesize
423KB
MD54d454f8abe7860306da91c55ba9be042
SHA1a83ce432ada547eac181e20e0249ea9c4b484843
SHA256d323ce72e2cf82f061b4a62dfc212472f7850b4dffd3658193298c2232a04d0b
SHA5121f099152c4f81135a18a5c8b52f4543505dba145c16879f37ff62815cd5adccd9b332d3b9164736acb411443f05ce4ef3e89c2d605e94b3593e770f0f8dce21b
-
Filesize
36KB
MD50fdb3264d678d048ecae17799df05cb4
SHA1df4887043e8f437aa2a879b47772040f8347fc9f
SHA256cd9a38aa64c6cfa2391a5f89b0c7cdf4cbfd63bf6d69d6620f12c736ce4d5892
SHA512a4c9e76fd22c1ec8e44193d26355f6fdb067e6bdfe2084f6993ddbb18d790dacc71d6c9e28553dc6118ec31a96e9241cc5d38db6b53671ad6a69576ba611dedd
-
Filesize
379KB
MD5b45a9b037e1686b7c217bc406bc933af
SHA1c3ef67fb58ced40c1312f0855d5c897c08b4e1bb
SHA256e589ba19b06772570ab1d36675fe1f0a201760f6b16f1a1f3b374b695070fe7f
SHA5126b47f29d9df2ab22735bfe7cede43ac3af7cefc75a58c90daeebf10c2e5fd92a1132f035d78e47573524ad0091152422779b74957be897e6777ef6a9de065919
-
Filesize
335KB
MD52f9c5a77aec3e3e4387320267d996f89
SHA1a023bd77be6784e80b6381010e5a867c5f7ce542
SHA256595df900ddd426ba124198782a027a09d356cfe7924b7f69fa51696377535e0f
SHA512f283d6a163ad08348a35c347dd7f0c92746a6ebfb9709e8029f608eb0ba97309726c7aa17414f58a77672e56d8c6dacc062a537ab44dd552bc9110e726b1c220
-
Filesize
945B
MD52735d476771cc00ef345f41e9ffa4459
SHA16691a12311f026a90d5313fadcd1e2148ea65445
SHA2564940d64b99da9d1e2af0f929708d2ddc86fbf92b310b343eb215ded44ae8efe3
SHA5127cd6c455a021a49c0aa94803d532f27f51168c0232c6b700aaf58125377cf939453e799b504dc014f8ca303213827a623ee29a472ac7fa30d1e6e912b887a653
-
Filesize
481KB
MD53372d01659f43b8dffd5b14914b03890
SHA19c09efd4ff70674eafd1238525fc1bb127948404
SHA25668d658155beff9b517aae6a26c3735c26ca6e1e026089403876e188cb23848a6
SHA5125830689beaf260f2cbdc0d90029bf0b73246cf46f3346e4825c8d6613ce92c926132de35f9fe016f00441a5aa79a7c4288f6883566c15e54d89422dc2ea1dada
-
Filesize
195KB
MD571ca31e32c62557a91c072255c79b9ad
SHA11c03cc0471ac7b289b49f4ef9b2691d4282d3f5c
SHA25659b790491d763421741300e1473d1d302ad96130cc26c1c87edaf7469d4d5885
SHA51213691125da737a3915784db6ef9e990850ebb6f78c034ab98ca9676f9bf4b1b2b7bc8195f00e0a47d598c0a84582c7bf3291d1691d099c4374e7b1a1beba5876
-
Filesize
3.7MB
MD5811c36d10c8cb9d7eb4023755939c389
SHA1f77c8cc3369d341fe5f4e8a0ada22aacbe5dd2d6
SHA2560b37b021a61d3352ff8e5d43f185d08ad1245938ab22123c9b58d661ff731620
SHA512c16cb83746b0108566d2c74c86cafd03ded6cc6d57fd0e71f44598f8ad72fed03ebe6f2d4fa4d33937477656e1231bb38104a53ff26a9ce744c08e57d07effe7
-
Filesize
1.2MB
MD5b7d0813e1f27e5b6b01b65a518731759
SHA1b942b56e9cf826ea46c7e27b139f75e6d2605cfc
SHA2567c0a7db43a4b649b3cd9e5ca8c1e0041a167a7339668b75dd1ec1c972b20fac4
SHA512cbb7d217197af7ac375910df142d09c68d1c118f4e44652339494a1de5d7d57cc223c0b08d62597b66d01a6fba325ea1c94cce11d4bce128e0e7c1d03ecf1604
-
Filesize
2KB
MD565b65862d48178a71d0cb4da54b62c96
SHA14b19796cf5fc94d30788ee61ced090d1d6ac299f
SHA256647f68b03c9a5d7f21d2a0c27f5bbd72d8559ab4e17a365e24be937155f5c033
SHA512a37d98cb6deb56ee9fdde13c91bca88e918ff7041632373730ce447fb8e2443cbcf5f43b69c99c542d2bdc96ec2dd8157a9438956d812d106239b11be0782384
-
Filesize
1KB
MD5b686c239de5bc638271322d247c89bb4
SHA14986d1748bf439e299f19bf64df4d721770cfb77
SHA256c0af4a2d740c7a45a69ff544b5173ad1ea6038e75af87b5306242f30fd3a6882
SHA512ab2d036746e4f25f38710b26594a9fd463600d63da2d6ad8fcc0553f39c162738ed43e39b507e729690c67be993e34ee99d0cc13688532a79fb9a35a3350e067
-
Filesize
1KB
MD5f67b90fc9441580b7e1a13fa66638e2d
SHA170852dec6239ab4749538c25217dc8d383641c4b
SHA256706841416b4dd847c7a6740583cb14ca9213d188056c44251bab90b589722e08
SHA512ac54b9dcc0767fcf47066b68f6dc856bd89fc650dc98d600ccc8bfa28c9b35f8150086432cf949011a065681a83aebc4d95a15ac2fbce0415a81d0241429528d
-
Filesize
1KB
MD51554d1be8b28d4ff1c2cb12ed8e33ee9
SHA18fd74e7961d16d00a4f86bded326f80addde04b4
SHA256d54a993d6f4d19a300d4e3009e6add0155a21e1398be69ce36a5a361efbe81e0
SHA512f5c454787d233f97de25c4f752f8060a0c9c9cd6b13c84d2600e6437443de61bfb7a61dab2455c1c4569d7c6f45ed6d546eb1c101a64ed35d0eaec6252d600e9
-
Filesize
220KB
-
Filesize
220KB
-
Filesize
11.7MB
-
Filesize
4KB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
1.2MB
-
Filesize
204KB
-
Filesize
5.1MB