Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

29/04/2024, 17:58

240429-wkjscsgg46 10

29/04/2024, 17:54

240429-wg64gshb2s 10

Analysis

  • max time kernel
    150s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    29/04/2024, 17:54

General

  • Target

    08448a94a9c69ba7c6282108561036d4_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    08448a94a9c69ba7c6282108561036d4

  • SHA1

    5abda980f646bd60457869f9aef8ba1e1dde024c

  • SHA256

    a837b91aedefd4a62d7785a29b42ed3bfb6a9b1e18776e740a51905a21c8ce66

  • SHA512

    4addb089a8c7875b7c09bfa6d9b0a153a659d0b0213e6ab69e11c92dbc61accc42b1c2606b0d1de2abac62e82c23643adea8abe664d6f768ffa8fa585a8d4921

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6/:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5W

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\08448a94a9c69ba7c6282108561036d4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\08448a94a9c69ba7c6282108561036d4_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Windows\SysWOW64\eguhlhctwu.exe
      eguhlhctwu.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\SysWOW64\zjyuywdt.exe
        C:\Windows\system32\zjyuywdt.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2800
    • C:\Windows\SysWOW64\jdytiujdpzcsckx.exe
      jdytiujdpzcsckx.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2012
    • C:\Windows\SysWOW64\zjyuywdt.exe
      zjyuywdt.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2664
    • C:\Windows\SysWOW64\gfxjxzuplbkdx.exe
      gfxjxzuplbkdx.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2712
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1012
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    42c7e379336d66de7042b8a152bd7a41

    SHA1

    e921e08c8fcedd785b3ef26829e24c623f5fef93

    SHA256

    766c95c3878bbf3ee82fd2fd83e36c9098897869f86118533b345539a4a9fc1d

    SHA512

    18d25157e65a67d56c22063adbed942b13199517c52d57b01ae16e206df7c9e24e1e35f18401cb5ab15ff3307156fa0217ffe1c0e77775db30a7370745d445f5

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    64B

    MD5

    38a4516b7d5cb4f3587f565188d1bceb

    SHA1

    06a34707787b4d8dff094747c788323e5f409ac1

    SHA256

    02220f59356410741596342197dc7f4527ad862cafbb0ed7af69396d8b7c0697

    SHA512

    d64c673db2eac0daca7e181a65215b0ada2eabd6ea822022034c79b5c6e654cf97b5f349bba14f67a864fd035d3de35712183a0a315dcb72a448bf4734be04f0

  • C:\Windows\SysWOW64\jdytiujdpzcsckx.exe

    Filesize

    512KB

    MD5

    766409a18fdc9f09e78d27895502115e

    SHA1

    9e5518755d1d8ac612bb86b541917076bf614e12

    SHA256

    7b5c7c7e65630bb31a04478760257441cfe16cc4e7fa8a69c526df5869b0262e

    SHA512

    1a7113697b9ca9e69291e2c3964176c36ae968b2caae9fe3d22991b8fbcf26393b7ebaa12a120c76ccca7e5e06d2c725d4e9859f39d7189ddcfb6e6ba3297ba1

  • C:\Windows\SysWOW64\zjyuywdt.exe

    Filesize

    512KB

    MD5

    3c2812ac3f2fc56d6cfa9599459f5417

    SHA1

    23cb8e52dedbd4986d13167969cfb084ccedbd65

    SHA256

    17de120fa3949611dd4d2ee74f5b976063a6e623378fce50e69defdcc7816730

    SHA512

    17f74790fe15a8fbfedbafa0464476a3d1d07aab95d590ecf6c94d563f6dc28b4d31a4f849052e8cc182abbd30e179fae02894227f0560ecc3da3c90f685bb3f

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \Windows\SysWOW64\eguhlhctwu.exe

    Filesize

    512KB

    MD5

    f4b7825607b2cbc5df1afc3cdfd82e52

    SHA1

    5ac285b444060bd58c89833a6bfffcbe202ab4d3

    SHA256

    512a706c51b003353737523923a4fc1e4f72e3dc13c58e8124aed4faadb40aa9

    SHA512

    4912e5ee443747ca7e62ad223c38d20c56581a42432dfaf623cd59fcf041fa80a8fc01b0450f6d40d84afc317c92c78ab43a6c5a525e210cdbe57231e46c1b37

  • \Windows\SysWOW64\gfxjxzuplbkdx.exe

    Filesize

    512KB

    MD5

    afe7db906d104b0980e21de9afc262b0

    SHA1

    3ffa32a59284833a80a423e353c89765c2b21939

    SHA256

    40521c166ce00004014a9c5cd9f4384e05604217742ff80df43ea44fe7ab4620

    SHA512

    b57f28fe3d2474b7b4cfb53519c0e60debfc6c2c0675ef2f88148a0867982d52c31c32c154650ef2bd89975bb85c86f842c7c2d35aa3dd64f32405bb66bdd116

  • memory/384-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/1012-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2760-78-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

    Filesize

    64KB