Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2024, 10:21

General

  • Target

    8069496d769163e3d7f6eec840b158a5_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    8069496d769163e3d7f6eec840b158a5

  • SHA1

    d33c2f3a11cb9bd778ffe37bd6bb83659c8e4718

  • SHA256

    cfb86dc7a35fd2dbaa8855f42a3adf24465d2df4f0bf2394b2f7d82f20372bf0

  • SHA512

    73a6acf17016275784b5177d3f4010652eadb683e7e31ec3c3ea1bdd4323e9f6fbca4f5a44c7bd3ba00d1c0c24cc6002f52439b1aef0133d3ab65791a69766c0

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj61:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5g

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8069496d769163e3d7f6eec840b158a5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8069496d769163e3d7f6eec840b158a5_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:380
    • C:\Windows\SysWOW64\sbwbutecmj.exe
      sbwbutecmj.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3900
      • C:\Windows\SysWOW64\aawvsham.exe
        C:\Windows\system32\aawvsham.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1332
    • C:\Windows\SysWOW64\ygvpjrdqcngjqjo.exe
      ygvpjrdqcngjqjo.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1288
    • C:\Windows\SysWOW64\aawvsham.exe
      aawvsham.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1912
    • C:\Windows\SysWOW64\xvwgtppmomdcu.exe
      xvwgtppmomdcu.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:792
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    064017b57cd0942d37aa7112dbe94c23

    SHA1

    5aad793606bf0402648a258de2863a58d412174d

    SHA256

    706dc3615e0ff2762fe76180c2406ac5f17c5c6a3f36c45f9752a07ed92dce22

    SHA512

    1a30083e03fdc3fa50bbef79950d186df37606814ed44c50a66f4c404d6361db2628648e8a0e48ca769d60dd36a3ca9424e6eee89e163ce8dd325973011d03af

  • C:\Users\Admin\AppData\Local\Temp\TCDB1B0.tmp\sist02.xsl

    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    f421a0cd790a0bce525ba896a00140b8

    SHA1

    7aedc9f264d7c2861debf563cd88d36a0c1a1e06

    SHA256

    0db132f0f694e5372efa4933e34c5eb90d0a992f3e0a3984d38ca1967a11eea2

    SHA512

    72e2145f05e9a11a15b55d6743308a4a165376a6029ade8bb3295e61a67a80116804bd46590d751b620f256b256a2e368d910d1d75419bf6a0775b7330e5c762

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    654ea158821869099ffd00bba174c0f5

    SHA1

    f939f0ee9429dd3ca5a9cb894585002be3d3992f

    SHA256

    a7c4161f48f04a322fe6fed6e842ffb410e3fb454de070b65cd0c066e7f3154f

    SHA512

    ebfcc4a137259400ac6b161046fdeeb023d89084e0baea05e5610a7b58ffbd1d2a4fb19bf517d5237b62f6a7ee4aa66528dc80dd37c8454af656e38a23e6752e

  • C:\Windows\SysWOW64\aawvsham.exe

    Filesize

    512KB

    MD5

    c867f375c883e61639860e9cbf271e56

    SHA1

    45bf687e34f168f6b452688f858897e49687513b

    SHA256

    b98a33a4827313c4debdc44bc51388b8e48fa6e4a4a55298220c2ba9e4810d9e

    SHA512

    9e1041c28059be36a0d6ca6991623b41423fea68f2d650cdf806176a548ec66371f16be935336b98e64151f14e19faff1f7bec9dcdaa6dc83f82b8d9241ed099

  • C:\Windows\SysWOW64\sbwbutecmj.exe

    Filesize

    512KB

    MD5

    4fc2358084706bb4212eccb3fa19d916

    SHA1

    8985ee5886203760273112be3d4b3d533b67b2b1

    SHA256

    c2babfb1ddc57afb391d35f1d85c787cf1cb63601a9a8744de3f8e4773c67b7c

    SHA512

    b22071c16547f12772082b1ef9f260fc1fe0db1a1a43b14a0011d42175f49bf7433941cf1e74ea2d85ee475d6bc848258e424ae69097bbe1f25efb58cdf0b6ad

  • C:\Windows\SysWOW64\xvwgtppmomdcu.exe

    Filesize

    512KB

    MD5

    258ea6ad2700ddc681673ccc5144884e

    SHA1

    14205d6ead47d5bb7dbe71876b24598e300085d4

    SHA256

    7287c4375ac10440c939d31a22c119b6e690e4f55a4e5ef4c100ab13161ed5e0

    SHA512

    f9acc725779b37ef1505866fc802605b3941ca54130359ff2a39092d3503e8ea1702ca10eb0de4aa16b48f8554def65cd52dd7fe52457a35033e32a6aa059de4

  • C:\Windows\SysWOW64\ygvpjrdqcngjqjo.exe

    Filesize

    512KB

    MD5

    e74a068933ac6339a10305391f2a7c90

    SHA1

    0b1366c8ed75eaf60c35c6959ca90ad57fe276f5

    SHA256

    e36bd24dd63a5c451878ae6d7f655cd176df8aff86a433560de8234006f1f003

    SHA512

    a73d5bff10560315531f493b189723d1ff1e017308cc41c1cbff606b3ed23bd0cf5e7c1c3a9b89e3d8d7cd0c5c5dd59bc5d54c2d098aa450a73730366c9cbb4c

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    935f35dc6be54d9cb6830d9ddd224c40

    SHA1

    eb4585c235784d815255b1a42f6b81e45da4d3ac

    SHA256

    e3a1685bf66c27c79079c96d0a2a3ffa87184536f439a97ff804d96b3df35c37

    SHA512

    bd8f8afff1d08208ac1aa71d98814839660c733d2ec849782ef9102ffbfcc38f2a85f2aa122417f32867ce7991b309ea3eb9d7664c94202e6ebcd8c8ea4117ab

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    3675eddb73413227057adbf39a091621

    SHA1

    4773324ddb38ff074bdf75d9b581c242ff31a23c

    SHA256

    f5361c89ac2098dbb828817dca54edf3a2cff5f72ad6f9fb7296b8c0e380799e

    SHA512

    a5a41b066b449c71e27529f3bc579a2e132ff07a275a5ffa7178d0e6b46cf1c20c9352a913203949b9b3dcf8f5728c5d5408161fd9035bb50f5eefa49e962423

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    e5b6b0e5845930f14e46da9f9a40a7e3

    SHA1

    c25a4c05bb93994a1eab747484b8e12e078207ce

    SHA256

    4ade7e57e3c91d5d6f10e75c93524016ef407adebd41a9d387396b41e3fa8aab

    SHA512

    81dde641d505a3344d98c3e33306f3599aeb6945feda90db2647e47489cfafc4ddb07d9c47d370f90d1ecbd2ced353e7a88e0290d655dd1665fa7d687466d173

  • memory/380-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2000-40-0x00007FFAF4130000-0x00007FFAF4140000-memory.dmp

    Filesize

    64KB

  • memory/2000-43-0x00007FFAF17D0000-0x00007FFAF17E0000-memory.dmp

    Filesize

    64KB

  • memory/2000-38-0x00007FFAF4130000-0x00007FFAF4140000-memory.dmp

    Filesize

    64KB

  • memory/2000-39-0x00007FFAF4130000-0x00007FFAF4140000-memory.dmp

    Filesize

    64KB

  • memory/2000-41-0x00007FFAF4130000-0x00007FFAF4140000-memory.dmp

    Filesize

    64KB

  • memory/2000-37-0x00007FFAF4130000-0x00007FFAF4140000-memory.dmp

    Filesize

    64KB

  • memory/2000-42-0x00007FFAF17D0000-0x00007FFAF17E0000-memory.dmp

    Filesize

    64KB

  • memory/2000-618-0x00007FFAF4130000-0x00007FFAF4140000-memory.dmp

    Filesize

    64KB

  • memory/2000-619-0x00007FFAF4130000-0x00007FFAF4140000-memory.dmp

    Filesize

    64KB

  • memory/2000-617-0x00007FFAF4130000-0x00007FFAF4140000-memory.dmp

    Filesize

    64KB

  • memory/2000-620-0x00007FFAF4130000-0x00007FFAF4140000-memory.dmp

    Filesize

    64KB