Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01/05/2024, 01:33

General

  • Target

    0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe

  • Size

    527KB

  • MD5

    0ad61c4f369ef91a0a8afeaae1844032

  • SHA1

    3aacba35e18d73e6bf22eb3aed1f20d611ee3875

  • SHA256

    04a810ffcaf4ab849bb2b7a4bdfbcb9aabd9e85513e3a7f0861c770001146bd1

  • SHA512

    a68d5e76d59a0375025868ad4d1a7cf8fc80205d3475b6875d39993e81c5e52350196801710e27d2497e9bca8ed4b2343d95d46ed14253398ca12576e27c104b

  • SSDEEP

    12288:/quErHF6xC9D6DmR1J98w4oknqOOCyQfQJXzaVqfENFSmFZ6:Grl6kD68JmlotQf+eVzNFxFZ6

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Modifies file permissions 1 TTPs 6 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\~dbomfgw.tmp
      C:\~dbomfgw.tmp /S
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\system32\takeown.exe
        "C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxtheme.dll"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3088
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\system32\uxtheme.dll" /grant Admin:f
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2600
      • C:\Windows\system32\takeown.exe
        "C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3248
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\system32\themeui.dll" /grant Admin:f
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1956
      • C:\Windows\system32\takeown.exe
        "C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeservice.dll"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3924
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\system32\themeservice.dll" /grant Admin:f
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3656
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4000
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D4" "00000000000005AC"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nso2030.tmp\SysRestore.dll

    Filesize

    5KB

    MD5

    4310bd09fc2300b106f0437b6e995330

    SHA1

    c6790a68e410d4a619b9b59e7540b702a98ad661

    SHA256

    c686b4df9b4db50fc1ddb7be4cd50d4b1d75894288f4dc50571b79937d7c0d7e

    SHA512

    49e286ccd285871db74867810c9cf243e3c1522ce7b4c0d1d01bafe72552692234cf4b4d787b900e9c041b8a2c12f193b36a6a35c64ffd5deef0e1be9958b1f7

  • C:\Windows\System32\themeservice.dll.new

    Filesize

    43KB

    MD5

    bf69cdedb4f36015e43dc8117134f058

    SHA1

    717b59942919209a01dc88218bb9e28517ff63c5

    SHA256

    b9737b8b11687bc241e150a1a9eceee0fa979dd4ab30c01e335f970564f0c3c7

    SHA512

    2cfce2abcd9806275f44ad2df6f5259a9e02e88802e7c4359665ae415dfa88d478447eea80d81c12f130c544c8a8a71a2706d95ce4cccf5e5d0180b464a3629c

  • C:\Windows\System32\themeui.dll.new

    Filesize

    2.7MB

    MD5

    274c75ff99e6bc973232dfb4d450cdcd

    SHA1

    e000812516d3d60d6fcf340f34d13f51e4d23912

    SHA256

    35415d2a7d97ac2fd9ccfe28a93c3aff0f4fa9d83636699b4d89139dc9d23f34

    SHA512

    f1e922c74725e29f980a63c369c86f8d56e91e7f83652830633941f918777207ec2941ba91fe2a3e259851f45d92defde538f31324788aba4cce051247a674a2

  • C:\Windows\System32\uxtheme.dll.new

    Filesize

    324KB

    MD5

    2e08363a75712e753f4d5b3b34531584

    SHA1

    323190cd2c21152df3dedfee1ca701f11e355a01

    SHA256

    66fd0a342d0c56f2d73edc7ee4c0f7dc3c8ab3ab77be1a8f5083f6984f4be754

    SHA512

    b8c00275a61236de4145007f7301dff452300ba3d7807684ac226ab2a61e3712223f31c6f431346a5e452ddd5585aa867d2e2b6b1b7c147b24ce110ca6615dc3

  • C:\~dbomfgw.tmp

    Filesize

    158KB

    MD5

    63f97f0f83d525d798596963a41426e0

    SHA1

    e20f5011669a3aa5e54826add72d507c182be334

    SHA256

    f0ee8f91b19d7070c6a29298c2649b1f14ce6a4d88ae799477a033e8119b6af1

    SHA512

    a73413961fa3c81200eca1fd92fc4ba125bdb7f62c6a9173bf8df23aff2e03a57da47f71f32b52df6cfdcd149a60330bf9a5b27b1b45b032b89d8969ab948dcf

  • \Users\Admin\AppData\Local\Temp\nso2030.tmp\System.dll

    Filesize

    11KB

    MD5

    3e6bf00b3ac976122f982ae2aadb1c51

    SHA1

    caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

    SHA256

    4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

    SHA512

    1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

  • \Users\Admin\AppData\Local\Temp\nso2030.tmp\nsisFile.dll

    Filesize

    5KB

    MD5

    b7d0d765c151d235165823b48554e442

    SHA1

    fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

    SHA256

    a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

    SHA512

    5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

  • memory/2356-0-0x0000000000160000-0x0000000000293000-memory.dmp

    Filesize

    1.2MB

  • memory/2356-25027-0x0000000000160000-0x0000000000293000-memory.dmp

    Filesize

    1.2MB

  • memory/2356-25058-0x0000000000160000-0x0000000000293000-memory.dmp

    Filesize

    1.2MB

  • memory/2356-25059-0x0000000000160000-0x0000000000293000-memory.dmp

    Filesize

    1.2MB