Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

098f94a702...18.exe

windows7-x64

10

098f94a702...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/04/2024, 09:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    098f94a702d5b06ec699099985bee13d

  • SHA1

    63ee716e024d9e9f4b5445207bb03d04a9730506

  • SHA256

    15e03a2b72f9f2814d4d7d18985d0ac76ac3d7b3eabddc73c34d92f8d58ac6e2

  • SHA512

    1364b0fc5ee69e1edf7a5501d007f93be4c3d857adc2a6646dd728003f2bfd76fc80d91f35b903601176f3dddcc7552a66bdc85795d5d75948e54f4675f1af6d

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\098f94a702d5b06ec699099985bee13d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Windows\SysWOW64\tvbwiqbbjl.exe
      tvbwiqbbjl.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4376
      • C:\Windows\SysWOW64\zlqnymkl.exe
        C:\Windows\system32\zlqnymkl.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4772
    • C:\Windows\SysWOW64\dzidwuoufcszwsj.exe
      dzidwuoufcszwsj.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4156
    • C:\Windows\SysWOW64\zlqnymkl.exe
      zlqnymkl.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3888
    • C:\Windows\SysWOW64\gerzbazxwojwv.exe
      gerzbazxwojwv.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:512
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4980

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    209400861ac065c818c3dd9a69232171

    SHA1

    ae632144101c444c50e6c891e502ecac295b96f5

    SHA256

    a8c6a884f594daa9d711b242fac3f33cd75de3a6e535a78719abbf7922e545b8

    SHA512

    c2872fda92314c058e3fe64dc5263418b5d8eb1cd73976c69e35327a655c54447484bcc938df6033a659f6e7c796fcdbdc9b9e3a654719b7fec5b2a362bd0ea5

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    41929e56987a4163d359730aad8101e5

    SHA1

    db4d57b65cf212465df9a0cddc0ee11049dbf7df

    SHA256

    9d9bb3c8d2fc8c37f13e10f0a2723d67e1858fb427829edeead1995010b77fd4

    SHA512

    786696beb537fe458a81726d60b2beb2a8595e962fd106460db1fc05cadccb5ef32daacbf034d6e7a916d3c4395362d06d34c2a6e3f263a884efcd19dea2df1c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD7F1F.tmp\gb.xsl
    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    4e2ddddec076ae1469fea38bbe9fe5be

    SHA1

    d5da2e049613ac4ac0e01e174b7a3e8cb3aae67e

    SHA256

    a163003ab9fbee533ddc28e1ff24424388871bccb0495a73b29c33def5f5a197

    SHA512

    1ef1a7dee8b68f56fd6515c211c02bd9e27c00fdfedd07a82f57827be5195e4a5f21d630f87a91b43a58a52d7b5fd86a7d044f8daa5c90cd57bae0921953e896

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    8957b68379d75a79afae7d43195e06fd

    SHA1

    5827a33953f8c112066fae2e1f14609d0c1a1769

    SHA256

    186b842c3382c9adcd0d71b17a7428be355ffb6007fd08084a25b45425b60907

    SHA512

    3376e383f63590253c3f4c56b592dd75f01ab4cfe6873889471f6115b7dcbc54434f59b0da121bb1b098161bcfb5c369c7c01c2e12bb95ddf579ebc4b0dfcea7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    32a1659a840f257dad91d366ab5e4f2c

    SHA1

    f67ec46e15249762dcfeaf6b87337aa834f53db2

    SHA256

    0fc499cda666434b6e0cc364c55860c5631e94b4a6d3a8904111652e5de3a31e

    SHA512

    9d54d62d244fbefe74f4c4958fe302e9105bc9be290edb41e7d4cafb9d8b9a6dbac4f70bcce2286b52e20bbb54085595e43edb58c49026d3129cffb5330f922c

    Download Submit

  • C:\Users\Admin\Documents\WaitHide.doc.exe
    Filesize

    512KB

    MD5

    33892936b6ebabbcca9ecc65827d7a98

    SHA1

    56e308f0eecd99fa295a6b631925f08c9235769f

    SHA256

    925230e70d2d785e405f29ebf397e9fec6da2537bafa9473edbd89279a529ce6

    SHA512

    c383f0e388b5f630b73959242fb9849bfba4af82fbb82292c683ef3b057ce666ab5b37d5029a5bf9e1bc8daf56b47d6f74f955efcfe5e87abaa200185842f7ef

    Download Submit

  • C:\Windows\SysWOW64\dzidwuoufcszwsj.exe
    Filesize

    512KB

    MD5

    279568b7952d7599cc741574168cecfb

    SHA1

    c9eaa13701f9a120780eabcc844814624226acfb

    SHA256

    d73d1533ef6bda9a921a9c1afa04a234774444165504bdc20d9748e3a7e6f57a

    SHA512

    e8712a80f95aa1d8a5e177a941ebd4ad2f8d58b59da8c97da4204936e99ab6ad8340006ba7531ad554e3317429a9bb27b914e8074047c5f42dcb3b247be3fe24

    Download Submit

  • C:\Windows\SysWOW64\gerzbazxwojwv.exe
    Filesize

    512KB

    MD5

    829157b7b39b90a33809b0b9d936f298

    SHA1

    10385a49510fcdeb099663b9bc264c00df797295

    SHA256

    3b1d6360ea56c5413ad2820f02904bc5a31f1973e73413af0e2258c3c631c9d3

    SHA512

    02509636872eb27970d5eedafb232cd7eb53f916e9092a342dbcd2e00c82b77120ee09cade521cd57454a267ccd26837388985310d6aef160a2a029b427e3990

    Download Submit

  • C:\Windows\SysWOW64\tvbwiqbbjl.exe
    Filesize

    512KB

    MD5

    fe2d4b02a18e14787ec4a34a9686ea50

    SHA1

    ab9d4bf5001ab3139ed3528dfa82378008ff44ff

    SHA256

    0dc12927de5cf79e1409426654a3ec741733ebd2788618f12851007e1979f9ce

    SHA512

    004ad1f795ce8abeeb32c15a430f112b5aac346a9756a45de30fa694b35d0087fb37419fa514284056ece497479d475298e85e4e742282d1801f1c68cfd39d07

    Download Submit

  • C:\Windows\SysWOW64\zlqnymkl.exe
    Filesize

    512KB

    MD5

    992fbbdfe87192e81ff4bce1d3b7bbb0

    SHA1

    c8115fa53ae8ba6738cf1ae85cfe677b5752bf54

    SHA256

    f7e9bb535e53f602500977ac26bcdec710ebd1d60f5d0d62bebd32b8b8ca786f

    SHA512

    34f3fecc667fe0ffa6dad7682c80e492dd9dacbd22a43948263e3d7574542173e47a2d57d2c9e5264581ebeb8961cd839314bc8192b3b97309e782c021411155

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    13634751c18034b4c60ee8d16b8e521d

    SHA1

    6036f592b5f976aee04ccc093b2f9f7a4b7d64df

    SHA256

    f786b9ea4f137bb8ec4e9b2263e531591c41ba2d893ba5acad6b34b01533cb6d

    SHA512

    3a59563225af23f0db3fb9d75bce769ba68575ec3e9a74e08ec8dbf7cff2a685e6c67bc97a44507f040c4f90b936f66dd2086cf72c3b1944effe5b8ee95f1f4f

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    56a016e803e5c8ec0ad73bd6f1784401

    SHA1

    3b9201989435eba256e72cb556dfe40c7c22cb8b

    SHA256

    078abc943ef8a233b8300d143e41e8045550344401ef6e66de42b3698a235532

    SHA512

    6d613662ef4d0eb82bf250308a29a04fbd76c1c3f49736516b284d55ba2a0a78921a59c9861d2e630271ef32939793619d04d7077f67908cc5f62c029543182d

    Download Submit

  • memory/552-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4980-36-0x00007FFD9B510000-0x00007FFD9B520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-39-0x00007FFD9B510000-0x00007FFD9B520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-38-0x00007FFD9B510000-0x00007FFD9B520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-37-0x00007FFD9B510000-0x00007FFD9B520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-41-0x00007FFD98E70000-0x00007FFD98E80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-35-0x00007FFD9B510000-0x00007FFD9B520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-43-0x00007FFD98E70000-0x00007FFD98E80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-605-0x00007FFD9B510000-0x00007FFD9B520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-607-0x00007FFD9B510000-0x00007FFD9B520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-606-0x00007FFD9B510000-0x00007FFD9B520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-604-0x00007FFD9B510000-0x00007FFD9B520000-memory.dmp

    Filesize

    64KB

    Download