Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 10:21

General

  • Target

    8069496d769163e3d7f6eec840b158a5_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    8069496d769163e3d7f6eec840b158a5

  • SHA1

    d33c2f3a11cb9bd778ffe37bd6bb83659c8e4718

  • SHA256

    cfb86dc7a35fd2dbaa8855f42a3adf24465d2df4f0bf2394b2f7d82f20372bf0

  • SHA512

    73a6acf17016275784b5177d3f4010652eadb683e7e31ec3c3ea1bdd4323e9f6fbca4f5a44c7bd3ba00d1c0c24cc6002f52439b1aef0133d3ab65791a69766c0

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj61:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5g

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8069496d769163e3d7f6eec840b158a5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8069496d769163e3d7f6eec840b158a5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\fhkkmkqfqu.exe
      fhkkmkqfqu.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\SysWOW64\zxlxxnwl.exe
        C:\Windows\system32\zxlxxnwl.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2496
    • C:\Windows\SysWOW64\dwfocjouccrfxrm.exe
      dwfocjouccrfxrm.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2612
    • C:\Windows\SysWOW64\zxlxxnwl.exe
      zxlxxnwl.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2684
    • C:\Windows\SysWOW64\yythykwzlgxmw.exe
      yythykwzlgxmw.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2740
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1624

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      9e4f13b290b8e34b1fee73d31ba9acfe

      SHA1

      625a83d51de724710f9b5cd6508a6f937cee0edb

      SHA256

      b29b636fad63670483a579a46919a535de69e3f178f2ddf910bddf504de0dffc

      SHA512

      67847f6239b45fbe5bfc001d82c06ce0be76eba66e2d64e67bd4ebf15154b0042eea404a626b07666f879a535beaadbdb2ce8bcddc1dbc3c9fb906684bf6ff5d

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      a0a2838332395c910e3d8920998d3807

      SHA1

      9a72e92d065a52305b77ad4ca8b3b766a4ea35b6

      SHA256

      4cada9c78fd7a861ed7814590ec2de5b2c3356a6e748050993839e0b0abea72c

      SHA512

      9a9fd8c331ebcfd8338b2ad9b50845602f8c595864c2219c0d641520150a021ebf8c8bf02bb0e3982cab452d99ee1c0e75a9c76bd4916340c47c970a3ec15c90

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      a52d5c1290352e68378aa874d9e8b5ca

      SHA1

      632abf5f3f709f2b6236db8f033815c48df6a3d8

      SHA256

      ed231bd72d5d745bd4f89bbf89ef17d94aea8fef9f37e9e8ac930787b1cb7b7a

      SHA512

      f7c989ed2719dc4592393b7ff82ebeba96721f280f13eaf77401ee39584e7e7f96ca1e30c8188375684e62d208de6694fab2877b24bab17a320a6b63c7f8287b

    • C:\Users\Admin\Documents\NewPop.doc.exe

      Filesize

      512KB

      MD5

      da18b943befd1404bc8ab1d3df063310

      SHA1

      37d5b76ab209fff58a5b6daf67ed6379a4eef603

      SHA256

      b49bbba1634eb4f40098bf846d21225569e3781c979a9d9ed60dfadfa00e04b1

      SHA512

      0be450b443e27427b58888f185caa2e76447fc770695d2b7d890fbda74641529833aad8eb10c690fef39b62707da156495ae914e621253e6ab9aebae0893b805

    • C:\Windows\SysWOW64\dwfocjouccrfxrm.exe

      Filesize

      512KB

      MD5

      7bef23dedb203702ae785d030355e6c6

      SHA1

      39435ed2eeded72dfba6d4cf017df4f19b1262d4

      SHA256

      78e0b21bfbd1c82335e164d7962bc8d5c1008273377b4ae15359916180ecebf4

      SHA512

      a57a4655acac18abd1b5f6cccf8a0a3fe5d27869711e078105949befdb6d034c9d6f15835179c76551d1cd10cbd7a1fcbbb70343bc294e0b4de595b8fcb0328b

    • C:\Windows\SysWOW64\yythykwzlgxmw.exe

      Filesize

      512KB

      MD5

      6b34f9e5dd8460e7dba59015c09084ea

      SHA1

      0be1acd2a1e1bdc63cbebfdc92fa05b356aea330

      SHA256

      b552c1e42d1bd98e80949dd23027a46fb8b3fc8a4a1b8cc2065cd0e68cfbf52b

      SHA512

      bc6f031e546dece46beec37f61d193b771f4a8bd2cbae4231706d38bf747b5f8061418209ff5714e15e3b23088e33c3d1db04926fdfa95bee30e15f51a2c2027

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\fhkkmkqfqu.exe

      Filesize

      512KB

      MD5

      ef0107b148941a57a1d16fa4faaa0183

      SHA1

      cc0d26c794a51a4a2a7cbd17a9b04cb9fb359b81

      SHA256

      5cd7ad7fba6e45a23903022b2df03827f9b5e3d5e4b709ea1b1fddee1c1feb03

      SHA512

      ade162f699b893248a0929403d9cffa86f17f76651411d738bf8407fc453b663dee1ef10c8040b4fe24ccae7213ac3fa375e0bfdadcc44f6e6d43dbebca73e96

    • \Windows\SysWOW64\zxlxxnwl.exe

      Filesize

      512KB

      MD5

      31e050506db89544b6ec895115fbf153

      SHA1

      979a3fd7fd29f14f29eaa041542405607c44e2d8

      SHA256

      1ea3e0954296da6ee0056e6c87e29aa70831f55812bd3c4ebbb584466fb11160

      SHA512

      da097fdd1527252348860eda128ebc3fd0fcf7266e95bd1a55cfc892aa8521915647f95ce1e4fca7c958d0307fe6d0f8d691f2f651dd1b9e881300d9cbe105f9

    • memory/2032-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2716-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2716-114-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB