Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

400d65415c...18.exe

windows7-x64

10

400d65415c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    13/05/2024, 14:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    400d65415c8f91979d13ee4832cf4d19_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    400d65415c8f91979d13ee4832cf4d19

  • SHA1

    b88b829cfa2f6f9b5bef65a6a6d077f5f53c4425

  • SHA256

    3485a0476b45b0f71bb936abc1b8da7411e902b18e1fb05d4e58d33023942f0d

  • SHA512

    7c965ea81b15847f73ef7ec800d147f4a576199bfbe6d1c67a490e79fb17e9f04ff25a21027578521bf72c30714ec6bfb9c5dd0c56714d8b75895dd70b3fbcf5

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6M:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm53

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\400d65415c8f91979d13ee4832cf4d19_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\400d65415c8f91979d13ee4832cf4d19_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\SysWOW64\seiojsltmw.exe
      seiojsltmw.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Windows\SysWOW64\jjyrvpkq.exe
        C:\Windows\system32\jjyrvpkq.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2668
    • C:\Windows\SysWOW64\mopxfuknxovquwy.exe
      mopxfuknxovquwy.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2588
    • C:\Windows\SysWOW64\jjyrvpkq.exe
      jjyrvpkq.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2544
    • C:\Windows\SysWOW64\xgezhxzovscuz.exe
      xgezhxzovscuz.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1040
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:328

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      6b42a39d5bc70b66d8ec8500273c16cf

      SHA1

      5d788e621246c67cce236890e8ea5b4a51ebbf5a

      SHA256

      4bbbf3a7b5989de40b15e5706d06fd435dfee8d91a61045714bcf7c380c18372

      SHA512

      acbb41f5fc1401f55a75e072e18132634cc3551a2d1e8e46e80a88ebe39ef0eb6b5fa4c661153c5527356d178c1e7070ed89fa772c5c603eafb0c35cf9b8cfa9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      cf826d5de47c49b2d8fd3c98920736a7

      SHA1

      af2f50b2453480ac50cceca26acdf86b29a57f79

      SHA256

      77c4d8252054f325d67e8575503a867b29ecde0de0fb8f5c50816c63a761f955

      SHA512

      3e585114fdb40b54f98e7c241eb130d59c684fbbd930860d974bd3bda3379a3f48bc70e340359c12ca04f79850ecb29aa780f322cd6c65063fe69a3881ce7ea4

      Download Submit

    • C:\Windows\SysWOW64\mopxfuknxovquwy.exe
      Filesize

      512KB

      MD5

      ec4b55d25ccd70b66f82b513d0451ab6

      SHA1

      e951d6ee8d74e23efb311eaec77b7ca9cb650a07

      SHA256

      033209c51c01cf4ccde480d8535ff9bab3157156c7f9d8f6b297cc6e971ae2b3

      SHA512

      4d6a68582040b81645be5e44c7f9c25be5716646792f459799ee9b7fafd32f84339020206b00751b0ab90b6e6e89f95b58b8637e9db174ef2a537040b1be53d3

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\jjyrvpkq.exe
      Filesize

      512KB

      MD5

      b57da6f54ee1605f63d4d5a56334798a

      SHA1

      29c781ed2e07fe41c27796eb2b9358f8c0c045b8

      SHA256

      5b173a92b2c363c1c464d12601965dac222b48c53d3e59eee6c9ec504ea7bf25

      SHA512

      5d6ce98ee307cb8f1d96d9c036e124dd08c77b5d2239a80d2ec6dcde764a66ec76286adfdec5e9e44f65538198e11da104f1394ccccf8e2daa09d3bc3dc1740e

      Download Submit

    • \Windows\SysWOW64\seiojsltmw.exe
      Filesize

      512KB

      MD5

      1e9c439124d0ee98076bd5c3a4ec99df

      SHA1

      fea4661da71e47df17344a3e15a04ebe2a703d6d

      SHA256

      b964de1da1de303e0e5adaaaa6bc724d30748d5e34077cc096738929d0fa5731

      SHA512

      da666cab055b6fb0f6441321a0d551f57f86dedab659a3a107555e845942e7082eb9636c289db30ce54646571c8dca69b69dbbdf707550b6b3ab7c4645ff7dd1

      Download Submit

    • \Windows\SysWOW64\xgezhxzovscuz.exe
      Filesize

      512KB

      MD5

      3063469f02d8f52749621cabfb03bf37

      SHA1

      32df5d1398cf95cbd4ddfb90be552f8659571da3

      SHA256

      59d99aa5929a7b1251f5d46b3dd7f13507b979ab46f0fd1f66ef2b5c1ef30c7b

      SHA512

      8992e221daf6ae6d507c05d6beacbf0e91c3050745c5fedc347f7edcb8c6588471cbbe89e958638790942fadfe6371c9f29aacf1717e49571c03225d744b15de

      Download Submit

    • memory/1728-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2380-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2380-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download