Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 23:18
Static task
static1
Behavioral task
behavioral1
Sample
2c32fd77b49e9b461502bd7b962b3958_JaffaCakes118.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2c32fd77b49e9b461502bd7b962b3958_JaffaCakes118.msi
Resource
win10v2004-20240426-en
General
-
Target
2c32fd77b49e9b461502bd7b962b3958_JaffaCakes118.msi
-
Size
448KB
-
MD5
2c32fd77b49e9b461502bd7b962b3958
-
SHA1
c1ac57ee5ff6d01ede7d6b23fd1b8521d01b77ec
-
SHA256
2e3a530f6f30e32e7d982308747f0f9015c37e651939dc8e0982b38425e5cfa0
-
SHA512
e3beb16e77667c3f6014ca180151c03699e0a609100abb53e5012a86588eb3f3029c9e4be48b24d9d2fc945f8e61d33fc66d218649f5e5f87b6120891f297287
-
SSDEEP
12288:dER6Wq4aaE6KwyF5L0Y2D1PqLoHPvCMaD:dEnthEVaPqLIPs
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x000a000000023391-10.dat upx behavioral2/memory/1636-12-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1636-13-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1636-24-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1636-25-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1636-30-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1636-31-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1636-32-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1636-33-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1636-34-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1636-35-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1636-36-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1636-37-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1636-38-0x0000000000400000-0x00000000004CA000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GSVNFV = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\IYRKFO.exe\"" MSI74A4.tmp -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 59 ipapi.co 60 ipapi.co -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1636-13-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral2/memory/1636-24-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral2/memory/1636-25-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral2/memory/1636-30-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral2/memory/1636-31-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral2/memory/1636-32-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral2/memory/1636-33-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral2/memory/1636-34-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral2/memory/1636-35-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral2/memory/1636-36-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral2/memory/1636-37-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral2/memory/1636-38-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} msiexec.exe File opened for modification C:\Windows\Installer\MSI7445.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI74A4.tmp msiexec.exe File created C:\Windows\Installer\e5773a9.msi msiexec.exe File opened for modification C:\Windows\Installer\e5773a9.msi msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 1636 MSI74A4.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000019be7eb961b76eb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000019be7eb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090019be7eb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d19be7eb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000019be7eb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1788 msiexec.exe 1788 msiexec.exe 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp 1636 MSI74A4.tmp -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1636 MSI74A4.tmp -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeShutdownPrivilege 2816 msiexec.exe Token: SeIncreaseQuotaPrivilege 2816 msiexec.exe Token: SeSecurityPrivilege 1788 msiexec.exe Token: SeCreateTokenPrivilege 2816 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2816 msiexec.exe Token: SeLockMemoryPrivilege 2816 msiexec.exe Token: SeIncreaseQuotaPrivilege 2816 msiexec.exe Token: SeMachineAccountPrivilege 2816 msiexec.exe Token: SeTcbPrivilege 2816 msiexec.exe Token: SeSecurityPrivilege 2816 msiexec.exe Token: SeTakeOwnershipPrivilege 2816 msiexec.exe Token: SeLoadDriverPrivilege 2816 msiexec.exe Token: SeSystemProfilePrivilege 2816 msiexec.exe Token: SeSystemtimePrivilege 2816 msiexec.exe Token: SeProfSingleProcessPrivilege 2816 msiexec.exe Token: SeIncBasePriorityPrivilege 2816 msiexec.exe Token: SeCreatePagefilePrivilege 2816 msiexec.exe Token: SeCreatePermanentPrivilege 2816 msiexec.exe Token: SeBackupPrivilege 2816 msiexec.exe Token: SeRestorePrivilege 2816 msiexec.exe Token: SeShutdownPrivilege 2816 msiexec.exe Token: SeDebugPrivilege 2816 msiexec.exe Token: SeAuditPrivilege 2816 msiexec.exe Token: SeSystemEnvironmentPrivilege 2816 msiexec.exe Token: SeChangeNotifyPrivilege 2816 msiexec.exe Token: SeRemoteShutdownPrivilege 2816 msiexec.exe Token: SeUndockPrivilege 2816 msiexec.exe Token: SeSyncAgentPrivilege 2816 msiexec.exe Token: SeEnableDelegationPrivilege 2816 msiexec.exe Token: SeManageVolumePrivilege 2816 msiexec.exe Token: SeImpersonatePrivilege 2816 msiexec.exe Token: SeCreateGlobalPrivilege 2816 msiexec.exe Token: SeBackupPrivilege 3120 vssvc.exe Token: SeRestorePrivilege 3120 vssvc.exe Token: SeAuditPrivilege 3120 vssvc.exe Token: SeBackupPrivilege 1788 msiexec.exe Token: SeRestorePrivilege 1788 msiexec.exe Token: SeRestorePrivilege 1788 msiexec.exe Token: SeTakeOwnershipPrivilege 1788 msiexec.exe Token: SeRestorePrivilege 1788 msiexec.exe Token: SeTakeOwnershipPrivilege 1788 msiexec.exe Token: SeRestorePrivilege 1788 msiexec.exe Token: SeTakeOwnershipPrivilege 1788 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2816 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1788 wrote to memory of 3356 1788 msiexec.exe 103 PID 1788 wrote to memory of 3356 1788 msiexec.exe 103 PID 1788 wrote to memory of 1636 1788 msiexec.exe 105 PID 1788 wrote to memory of 1636 1788 msiexec.exe 105 PID 1788 wrote to memory of 1636 1788 msiexec.exe 105 PID 1636 wrote to memory of 2460 1636 MSI74A4.tmp 110 PID 1636 wrote to memory of 2460 1636 MSI74A4.tmp 110 PID 1636 wrote to memory of 2460 1636 MSI74A4.tmp 110 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2c32fd77b49e9b461502bd7b962b3958_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2816
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3356
-
-
C:\Windows\Installer\MSI74A4.tmp"C:\Windows\Installer\MSI74A4.tmp"2⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\WSCript.exeWSCript C:\Users\Admin\AppData\Local\Temp\GSVNFV.vbs3⤵PID:2460
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3120
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
821B
MD55e6d5b5ec8946646b9d4f58ca913d2c6
SHA112dd2f0fad0b7628fbbe9d844f1b3e5cb3974553
SHA256b9e0b5c5c71f9ed245f377e2490635befcf154bb79488d57191e473d72c2e6b2
SHA5126a2cb7025929dd6f8a322e1b3a23b6e9cc870192935b4d885d9c17769637f5f9b3c8d14220790a9447435651943daa92402cbe1e06637ef5fed2c2e0ed6eb5b4
-
Filesize
420KB
MD54ea28cd3a218b4068c4a09f95a85cb78
SHA1436d4d139ecabba8173c8e7927edfc738491ca44
SHA2565b71772f3283bf77dab187de440e7b7879ae674985898458da1c87bdeaab0fee
SHA5127f2737686021347b9e8d79d9963dd252d1fe14792cf2ec3c22792e26b310698e23409bb3548ad32a0dcea116672fdd4996161ae7e168221416cd5282659e8a27