Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30/04/2024, 09:58

General

  • Target

    098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    098f94a702d5b06ec699099985bee13d

  • SHA1

    63ee716e024d9e9f4b5445207bb03d04a9730506

  • SHA256

    15e03a2b72f9f2814d4d7d18985d0ac76ac3d7b3eabddc73c34d92f8d58ac6e2

  • SHA512

    1364b0fc5ee69e1edf7a5501d007f93be4c3d857adc2a6646dd728003f2bfd76fc80d91f35b903601176f3dddcc7552a66bdc85795d5d75948e54f4675f1af6d

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Windows\SysWOW64\tvbwiqbbjl.exe
      tvbwiqbbjl.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\SysWOW64\zlqnymkl.exe
        C:\Windows\system32\zlqnymkl.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2560
    • C:\Windows\SysWOW64\dzidwuoufcszwsj.exe
      dzidwuoufcszwsj.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2684
    • C:\Windows\SysWOW64\zlqnymkl.exe
      zlqnymkl.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2500
    • C:\Windows\SysWOW64\gerzbazxwojwv.exe
      gerzbazxwojwv.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2604
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2280

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      46d45009b9b06c2fc95ce9cb5ee8f51e

      SHA1

      2806a8190bacec15e399e45614575fda6ff62db9

      SHA256

      5da0eb661cb7b65beb1cb701edbb3fb96ff66045b988302982e8d4dcc0ad5c23

      SHA512

      22fb36e937f81f92cdb24bcf4babbfd249530a04e789ac8e9c72ebd20be59d6d689a44d128992482079e9323490d5cef5d5f69dcd7f37a237664f45a26239f07

    • C:\Windows\SysWOW64\dzidwuoufcszwsj.exe

      Filesize

      512KB

      MD5

      48cdbfe78a6205a34a15d5e127b78bfa

      SHA1

      645f0e20003961c8c84f8374935885e3544d15d7

      SHA256

      96c2a045bd98d51538ce9ff28e90859c7519001b34b5069850fb2da55c08297f

      SHA512

      31f64e2bb707e8bf2cfb2cfd2d46e7c9fdbb3b4c599bde773ec2c423af18d8aa02ee75449c92eb62892587b271da03f91e2f2dc91ed12319fbaa6fa2c1444965

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\gerzbazxwojwv.exe

      Filesize

      512KB

      MD5

      0495e0917b96a0d498da0b73f9626756

      SHA1

      c873482253f96cfa08d59ad5faa15ecc8a927f5c

      SHA256

      bbae47c064e7a44a0565d52d591e35cc5e307e16e0b63292a0d8f0f9e10a0498

      SHA512

      791fbfb2550ce2d1aebce3dfedf6de50cf62628f6dc492c28f72273edb527a86fd900421c16476bc3b54a2525eb227bb9c71f3db6ac09a654d358255aea2c098

    • \Windows\SysWOW64\tvbwiqbbjl.exe

      Filesize

      512KB

      MD5

      6d3fd7e10e1e6d717efbf81f77fabe45

      SHA1

      d9d49b5e95e122fdc265eeb61b0b99885d970bec

      SHA256

      017311ff351e58642e10c8456076ea1b1102e6f67bd7459c8635bcb108b6395e

      SHA512

      e3c433da6829d04eba5e657923510bfb16e630ef7839989caf9f107dbcc1651e4463a68052bd5867b1ac81a6fc19c62683f56dfe195052c3f3bdd035ec8c2719

    • \Windows\SysWOW64\zlqnymkl.exe

      Filesize

      512KB

      MD5

      65f95f77faa9d2caa401fc3175cdbdb9

      SHA1

      293a2aa893139119dbb7872f6177a474c4c7ab01

      SHA256

      cd27c2d96ea15301c729638007a2165e6010c64638a40df82c89c2df1b5504bd

      SHA512

      99139f465a10085532d2a7adc998bada7513615711bc9f79aaf575eabcb5566fb27504886c8d5f5a48efb1de32d74a1253321eafbdfc2f4e4429a9ed16296fe6

    • memory/2412-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2412-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2952-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB