Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

39409cd656...18.exe

windows7-x64

10

39409cd656...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12/05/2024, 08:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    39409cd656c0bc7567e2c8352dcc2236

  • SHA1

    0b4ded3b48affa28dfc075d3a56c6a8ed1ac9479

  • SHA256

    9f93f8f5e71266c7001be5bfa04830fc68f8a697b014d04058d1cf5417c5fbd7

  • SHA512

    d34208d2994a2a7314b2b0c16af693504658f3588bddbba4a31f5aaa75db37814b48584112d2a70e07a871852f7dbb1b90409eea6e5038781fdbc1aecbe3cd2c

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj60:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5V

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\39409cd656c0bc7567e2c8352dcc2236_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\SysWOW64\knnojupyyb.exe
      knnojupyyb.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Windows\SysWOW64\tstchmrd.exe
        C:\Windows\system32\tstchmrd.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2524
    • C:\Windows\SysWOW64\jpfiqzvvzvnconu.exe
      jpfiqzvvzvnconu.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2696
    • C:\Windows\SysWOW64\tstchmrd.exe
      tstchmrd.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2424
    • C:\Windows\SysWOW64\sckcmtpbzkpas.exe
      sckcmtpbzkpas.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2656
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1740
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2732

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\DismountSuspend.doc.exe
      Filesize

      512KB

      MD5

      37a989ea046f8825f68026096361249f

      SHA1

      6914cab086eaf3dbac8b64f3897a7ff38d0ebf34

      SHA256

      1dd3309d2bca2c78a5437fa26baac3a67626d04ec2674f61b85d88cb5b3486e2

      SHA512

      a524ba6515a47e915253a391e599c201f3f47e9181733368d39cf38e43bb8b22c986c82ba8c0f0c08412329544eb0cb42d17c78b030201e82a8d76239f149285

      Download Submit

    • C:\Program Files\StopShow.doc.exe
      Filesize

      512KB

      MD5

      1de9b7d140a23a33c020a8d4d0235350

      SHA1

      ba75884662d2fc3213399d793d005f9db9ce29ef

      SHA256

      9e3cce6dd062388d1a03425a2a8e942933e61eab586ef672c589edcdde1ec11c

      SHA512

      ffae7a8b51fab2435f2e2492d296faa744a822e4ef38936c5b5bc99887b7e2b54a666810dcf9823e1692a899d600b37943155d3e39bf6f27b8a46c5ec3f801a3

      Download Submit

    • C:\Windows\SysWOW64\jpfiqzvvzvnconu.exe
      Filesize

      512KB

      MD5

      b10961b18148b26cfb3f5eed00fae932

      SHA1

      fe9704e0df29067003ddefc2c34306a3b37c44a5

      SHA256

      047d6b8cc08c37cc993214c60b665594203ab273c27897b4010283c2394b3b46

      SHA512

      dc32b5100d40bd3964887db1f89fa44fc8d83f27645983a7eeb90eb790202ada199d3b2bc1d59b8b03a989392c54e9c004770b9001be2cc2ee4c3b7264efa393

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\knnojupyyb.exe
      Filesize

      512KB

      MD5

      ee0ae4de9aef3c1f05abe7d40af37205

      SHA1

      19186725b2fcb0414a80864a028012aed5b8e327

      SHA256

      8dbc43c0e4b86365a37fe1a8b68a2a8510a83a9da1b70fdb9f1d4286944f2932

      SHA512

      b11a334be945a46016b591066c8a082ae485461054370400763b407b785a2c5033027ab2d46e76466c58efb3766d501fa8d466417d187158baafaeaa7b30000b

      Download Submit

    • \Windows\SysWOW64\sckcmtpbzkpas.exe
      Filesize

      512KB

      MD5

      3d2da0f995ef15cb3db13584daf542c6

      SHA1

      5092f0966762b47d7504ab166832ff7e1c5158d4

      SHA256

      ba80308ffd18e6f5a5c25bcaba31bfe5783b890f1617d7f2ff2610d2a97b371b

      SHA512

      10a91a7b0f5db3ef1b6110675532feddd97195452bce0d70b392c68142eef47207b90441e77feb5a9aba72973398799e7e28752972da63bd158dac1918df51a2

      Download Submit

    • \Windows\SysWOW64\tstchmrd.exe
      Filesize

      512KB

      MD5

      939f86d335167145e0c5a735740de081

      SHA1

      7fea7894eca81dfeb5798b1fde3b148f1316f5b9

      SHA256

      534a8143d1156e71b655634c3a5889603cba3d9f1eb143ffc1ce3a7a7e2b3d09

      SHA512

      a740a9419a90d257466292c24f63e9341c5c5e63b53fd563e7c3e0dd527a21057650ce000dfad86b4f07676e6a27688e254bcecf8266a105954086126184b68a

      Download Submit

    • memory/2128-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2552-52-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2732-90-0x0000000002A20000-0x0000000002A30000-memory.dmp

      Filesize

      64KB

      Download