Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14/05/2024, 21:44
Static task
static1
Behavioral task
behavioral1
Sample
432e0c7502686e9481f9ca6789ad7abd_JaffaCakes118.msi
Resource
win7-20240508-en
General
-
Target
432e0c7502686e9481f9ca6789ad7abd_JaffaCakes118.msi
-
Size
336KB
-
MD5
432e0c7502686e9481f9ca6789ad7abd
-
SHA1
e762906f2796322d856f0b38bbe2a189324e7329
-
SHA256
41a4b1a20caa14c769accdc803196fcc6f70968ebe9f8acd867321f7cc46962e
-
SHA512
f994dc800a0c45738b6b1e8fe3f4f547abd9229e43717420125c292434d2abb7829936de10ad4393842a26c01fb887971d08121394a3d0326fbe13646681fac8
-
SSDEEP
6144:jEUCChbFhINvtvbO0yhNPh/UCkYxKLpdDKIqtlxq5q+9xpZu:jEEYfKZhNPJU9YORKlU5qO
Malware Config
Extracted
lokibot
http://deloilte.com/wp-admin/user/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral2/memory/400-16-0x0000000007670000-0x0000000007692000-memory.dmp family_zgrat_v1 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSI77D1.tmp Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook MSI77D1.tmp Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSI77D1.tmp -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 400 set thread context of 3176 400 MSI77D1.tmp 101 -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e5776a7.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} msiexec.exe File opened for modification C:\Windows\Installer\MSI7743.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI77D1.tmp msiexec.exe File created C:\Windows\Installer\e5776a7.msi msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 400 MSI77D1.tmp 3176 MSI77D1.tmp -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9712a8ab103c3e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9712a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9712a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9712a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9712a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4776 msiexec.exe 4776 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
description pid Process Token: SeShutdownPrivilege 4804 msiexec.exe Token: SeIncreaseQuotaPrivilege 4804 msiexec.exe Token: SeSecurityPrivilege 4776 msiexec.exe Token: SeCreateTokenPrivilege 4804 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4804 msiexec.exe Token: SeLockMemoryPrivilege 4804 msiexec.exe Token: SeIncreaseQuotaPrivilege 4804 msiexec.exe Token: SeMachineAccountPrivilege 4804 msiexec.exe Token: SeTcbPrivilege 4804 msiexec.exe Token: SeSecurityPrivilege 4804 msiexec.exe Token: SeTakeOwnershipPrivilege 4804 msiexec.exe Token: SeLoadDriverPrivilege 4804 msiexec.exe Token: SeSystemProfilePrivilege 4804 msiexec.exe Token: SeSystemtimePrivilege 4804 msiexec.exe Token: SeProfSingleProcessPrivilege 4804 msiexec.exe Token: SeIncBasePriorityPrivilege 4804 msiexec.exe Token: SeCreatePagefilePrivilege 4804 msiexec.exe Token: SeCreatePermanentPrivilege 4804 msiexec.exe Token: SeBackupPrivilege 4804 msiexec.exe Token: SeRestorePrivilege 4804 msiexec.exe Token: SeShutdownPrivilege 4804 msiexec.exe Token: SeDebugPrivilege 4804 msiexec.exe Token: SeAuditPrivilege 4804 msiexec.exe Token: SeSystemEnvironmentPrivilege 4804 msiexec.exe Token: SeChangeNotifyPrivilege 4804 msiexec.exe Token: SeRemoteShutdownPrivilege 4804 msiexec.exe Token: SeUndockPrivilege 4804 msiexec.exe Token: SeSyncAgentPrivilege 4804 msiexec.exe Token: SeEnableDelegationPrivilege 4804 msiexec.exe Token: SeManageVolumePrivilege 4804 msiexec.exe Token: SeImpersonatePrivilege 4804 msiexec.exe Token: SeCreateGlobalPrivilege 4804 msiexec.exe Token: SeBackupPrivilege 2352 vssvc.exe Token: SeRestorePrivilege 2352 vssvc.exe Token: SeAuditPrivilege 2352 vssvc.exe Token: SeBackupPrivilege 4776 msiexec.exe Token: SeRestorePrivilege 4776 msiexec.exe Token: SeRestorePrivilege 4776 msiexec.exe Token: SeTakeOwnershipPrivilege 4776 msiexec.exe Token: SeRestorePrivilege 4776 msiexec.exe Token: SeTakeOwnershipPrivilege 4776 msiexec.exe Token: SeRestorePrivilege 4776 msiexec.exe Token: SeTakeOwnershipPrivilege 4776 msiexec.exe Token: SeBackupPrivilege 4912 srtasks.exe Token: SeRestorePrivilege 4912 srtasks.exe Token: SeSecurityPrivilege 4912 srtasks.exe Token: SeTakeOwnershipPrivilege 4912 srtasks.exe Token: SeDebugPrivilege 400 MSI77D1.tmp Token: SeBackupPrivilege 4912 srtasks.exe Token: SeRestorePrivilege 4912 srtasks.exe Token: SeSecurityPrivilege 4912 srtasks.exe Token: SeTakeOwnershipPrivilege 4912 srtasks.exe Token: SeRestorePrivilege 4776 msiexec.exe Token: SeTakeOwnershipPrivilege 4776 msiexec.exe Token: SeRestorePrivilege 4776 msiexec.exe Token: SeTakeOwnershipPrivilege 4776 msiexec.exe Token: SeDebugPrivilege 3176 MSI77D1.tmp -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4804 msiexec.exe 4804 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4776 wrote to memory of 4912 4776 msiexec.exe 92 PID 4776 wrote to memory of 4912 4776 msiexec.exe 92 PID 4776 wrote to memory of 400 4776 msiexec.exe 94 PID 4776 wrote to memory of 400 4776 msiexec.exe 94 PID 4776 wrote to memory of 400 4776 msiexec.exe 94 PID 400 wrote to memory of 3176 400 MSI77D1.tmp 101 PID 400 wrote to memory of 3176 400 MSI77D1.tmp 101 PID 400 wrote to memory of 3176 400 MSI77D1.tmp 101 PID 400 wrote to memory of 3176 400 MSI77D1.tmp 101 PID 400 wrote to memory of 3176 400 MSI77D1.tmp 101 PID 400 wrote to memory of 3176 400 MSI77D1.tmp 101 PID 400 wrote to memory of 3176 400 MSI77D1.tmp 101 PID 400 wrote to memory of 3176 400 MSI77D1.tmp 101 PID 400 wrote to memory of 3176 400 MSI77D1.tmp 101 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSI77D1.tmp -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSI77D1.tmp
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\432e0c7502686e9481f9ca6789ad7abd_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4804
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4912
-
-
C:\Windows\Installer\MSI77D1.tmp"C:\Windows\Installer\MSI77D1.tmp"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\Installer\MSI77D1.tmp"C:\Windows\Installer\MSI77D1.tmp"3⤵
- Accesses Microsoft Outlook profiles
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3176
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2352
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
663B
MD501010afb6d5cf26747a9edeca580c9b6
SHA1715130f2e4bf0c69a79cabba56cdeb86ddc1a033
SHA25623cb1839d932fd32726e93222f1dcce53188e841da77525d98c6d67096b58b09
SHA512f212d5dbe5a07689a3395b9c08acd8c192e91217c9c30073e848f413fe40718e0773dd49ca95df72574fe860e18829784219ec396c4abec267cc2c93de1298f0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1337824034-2731376981-3755436523-1000\0f5007522459c86e95ffcc62f32308f1_6833eb7b-8d4b-4cdd-9502-9bbf7fc1cf9f
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1337824034-2731376981-3755436523-1000\0f5007522459c86e95ffcc62f32308f1_6833eb7b-8d4b-4cdd-9502-9bbf7fc1cf9f
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
311KB
MD5da9877633c4e09c16d3593021f84e011
SHA1d2883239114cf8e0fa235cdb854065070ff60ad5
SHA25666fa5aa2b0ba33ed6f2c733308fac9af3589ebe85849c7c130ab8365f0a708b6
SHA51221adf2ec80f3d0f2dc034ca40637c1a3ea391f552e3a3048a97a1d68c73c49f3548ab02b6e51ebb6ce987533221e6ae17ecbb9522bdcdbc7b58870b8eef7b07a
-
Filesize
23.7MB
MD5fe296e3eda6c4c9fbf357e00f6322f7d
SHA13e7cac66c89a1333889aacb05f27669b66398913
SHA256c2db32e1bb43b14c4dc16b396fe71788a61cb2b92c593d3408a24b0e6e4ff738
SHA512e0cd9e1b0b9f036794603c94ef3d39fc9ebc7afa90e06d4bce253ade65b1738f01042a8f39d60cb9e0f870e78f8a5fd0004790a9ba3dfeb0fcbad5a373daebd3
-
\??\Volume{8a2a71c9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3ed67ba0-7521-43f8-8660-b1884b922d7b}_OnDiskSnapshotProp
Filesize6KB
MD5dcfc60d4e3ae3666ed27ff13a241de6c
SHA1cd242ed858e092fc98c9f22d2653d8f10bd0ebbf
SHA256997bd2079844d5665982f796f7a98998a81782551066672c87c5fda0f1a4379f
SHA512713055b2ee667660c4bc1973c369218eafde1518a307faba92e5f4e4f39280122bab92683a8dc1a48ed29566f2f02f0a0353532cf575185b27605403b17089e2