Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/05/2024, 21:44

General

  • Target

    432e0c7502686e9481f9ca6789ad7abd_JaffaCakes118.msi

  • Size

    336KB

  • MD5

    432e0c7502686e9481f9ca6789ad7abd

  • SHA1

    e762906f2796322d856f0b38bbe2a189324e7329

  • SHA256

    41a4b1a20caa14c769accdc803196fcc6f70968ebe9f8acd867321f7cc46962e

  • SHA512

    f994dc800a0c45738b6b1e8fe3f4f547abd9229e43717420125c292434d2abb7829936de10ad4393842a26c01fb887971d08121394a3d0326fbe13646681fac8

  • SSDEEP

    6144:jEUCChbFhINvtvbO0yhNPh/UCkYxKLpdDKIqtlxq5q+9xpZu:jEEYfKZhNPJU9YORKlU5qO

Malware Config

Extracted

Family

lokibot

C2

http://deloilte.com/wp-admin/user/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Detect ZGRat V1 1 IoCs
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\432e0c7502686e9481f9ca6789ad7abd_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4804
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4912
    • C:\Windows\Installer\MSI77D1.tmp
      "C:\Windows\Installer\MSI77D1.tmp"
      2⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:400
      • C:\Windows\Installer\MSI77D1.tmp
        "C:\Windows\Installer\MSI77D1.tmp"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3176
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:2352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e5776aa.rbs

    Filesize

    663B

    MD5

    01010afb6d5cf26747a9edeca580c9b6

    SHA1

    715130f2e4bf0c69a79cabba56cdeb86ddc1a033

    SHA256

    23cb1839d932fd32726e93222f1dcce53188e841da77525d98c6d67096b58b09

    SHA512

    f212d5dbe5a07689a3395b9c08acd8c192e91217c9c30073e848f413fe40718e0773dd49ca95df72574fe860e18829784219ec396c4abec267cc2c93de1298f0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1337824034-2731376981-3755436523-1000\0f5007522459c86e95ffcc62f32308f1_6833eb7b-8d4b-4cdd-9502-9bbf7fc1cf9f

    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1337824034-2731376981-3755436523-1000\0f5007522459c86e95ffcc62f32308f1_6833eb7b-8d4b-4cdd-9502-9bbf7fc1cf9f

    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

  • C:\Windows\Installer\MSI77D1.tmp

    Filesize

    311KB

    MD5

    da9877633c4e09c16d3593021f84e011

    SHA1

    d2883239114cf8e0fa235cdb854065070ff60ad5

    SHA256

    66fa5aa2b0ba33ed6f2c733308fac9af3589ebe85849c7c130ab8365f0a708b6

    SHA512

    21adf2ec80f3d0f2dc034ca40637c1a3ea391f552e3a3048a97a1d68c73c49f3548ab02b6e51ebb6ce987533221e6ae17ecbb9522bdcdbc7b58870b8eef7b07a

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

    Filesize

    23.7MB

    MD5

    fe296e3eda6c4c9fbf357e00f6322f7d

    SHA1

    3e7cac66c89a1333889aacb05f27669b66398913

    SHA256

    c2db32e1bb43b14c4dc16b396fe71788a61cb2b92c593d3408a24b0e6e4ff738

    SHA512

    e0cd9e1b0b9f036794603c94ef3d39fc9ebc7afa90e06d4bce253ade65b1738f01042a8f39d60cb9e0f870e78f8a5fd0004790a9ba3dfeb0fcbad5a373daebd3

  • \??\Volume{8a2a71c9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3ed67ba0-7521-43f8-8660-b1884b922d7b}_OnDiskSnapshotProp

    Filesize

    6KB

    MD5

    dcfc60d4e3ae3666ed27ff13a241de6c

    SHA1

    cd242ed858e092fc98c9f22d2653d8f10bd0ebbf

    SHA256

    997bd2079844d5665982f796f7a98998a81782551066672c87c5fda0f1a4379f

    SHA512

    713055b2ee667660c4bc1973c369218eafde1518a307faba92e5f4e4f39280122bab92683a8dc1a48ed29566f2f02f0a0353532cf575185b27605403b17089e2

  • memory/400-17-0x0000000004BB0000-0x0000000004BBA000-memory.dmp

    Filesize

    40KB

  • memory/400-16-0x0000000007670000-0x0000000007692000-memory.dmp

    Filesize

    136KB

  • memory/400-15-0x0000000007710000-0x00000000077A2000-memory.dmp

    Filesize

    584KB

  • memory/400-20-0x00000000086D0000-0x000000000876C000-memory.dmp

    Filesize

    624KB

  • memory/400-14-0x0000000007BE0000-0x0000000008184000-memory.dmp

    Filesize

    5.6MB

  • memory/400-13-0x0000000007570000-0x00000000075BC000-memory.dmp

    Filesize

    304KB

  • memory/400-12-0x0000000000700000-0x0000000000756000-memory.dmp

    Filesize

    344KB

  • memory/3176-25-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/3176-27-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB