Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2024, 18:58
Static task
static1
Behavioral task
behavioral1
Sample
8b70f3d86655835f7049ab38c44d7c51_JaffaCakes118.msi
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral2
Sample
8b70f3d86655835f7049ab38c44d7c51_JaffaCakes118.msi
Resource
win10v2004-20240426-en
windows10-2004-x64
General
-
Target
8b70f3d86655835f7049ab38c44d7c51_JaffaCakes118.msi
-
Size
964KB
-
MD5
8b70f3d86655835f7049ab38c44d7c51
-
SHA1
936eb774499e15ff5fdc8dbb5ed0be0daf32e8a2
-
SHA256
ad817bd5a7508402452d84a552cfb44361889fe0e57bcbe41015f88c639bb78f
-
SHA512
8810071bb87c7c3e5945011331a8707e1b3d4abde42f6fbf881323ed796de52a324dc29a1af500497dfa8868195aba912fa910c4ada2e06c57abb7b0fa237d3a
-
SSDEEP
12288:fE/McR5BLmwCKODs/KcrE693vojvq46MjAfituvhE6+9e3jG+PkPgFPdWTxDwFnI:fE0c3BCTK059693vorbnAiuqr2
Malware Config
Extracted
lokibot
http://parkerhdd.com/wp-admin/network/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSI9173.tmp Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook MSI9173.tmp Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSI9173.tmp -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1844 set thread context of 4408 1844 MSI9173.tmp 99 -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI9173.tmp msiexec.exe File created C:\Windows\Installer\e578fdc.msi msiexec.exe File opened for modification C:\Windows\Installer\e578fdc.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} msiexec.exe File opened for modification C:\Windows\Installer\MSI9114.tmp msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 1844 MSI9173.tmp 4408 MSI9173.tmp -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000073c7eb973396fb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000073c7eb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900073c7eb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d073c7eb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000073c7eb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1224 msiexec.exe 1224 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
description pid Process Token: SeShutdownPrivilege 396 msiexec.exe Token: SeIncreaseQuotaPrivilege 396 msiexec.exe Token: SeSecurityPrivilege 1224 msiexec.exe Token: SeCreateTokenPrivilege 396 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 396 msiexec.exe Token: SeLockMemoryPrivilege 396 msiexec.exe Token: SeIncreaseQuotaPrivilege 396 msiexec.exe Token: SeMachineAccountPrivilege 396 msiexec.exe Token: SeTcbPrivilege 396 msiexec.exe Token: SeSecurityPrivilege 396 msiexec.exe Token: SeTakeOwnershipPrivilege 396 msiexec.exe Token: SeLoadDriverPrivilege 396 msiexec.exe Token: SeSystemProfilePrivilege 396 msiexec.exe Token: SeSystemtimePrivilege 396 msiexec.exe Token: SeProfSingleProcessPrivilege 396 msiexec.exe Token: SeIncBasePriorityPrivilege 396 msiexec.exe Token: SeCreatePagefilePrivilege 396 msiexec.exe Token: SeCreatePermanentPrivilege 396 msiexec.exe Token: SeBackupPrivilege 396 msiexec.exe Token: SeRestorePrivilege 396 msiexec.exe Token: SeShutdownPrivilege 396 msiexec.exe Token: SeDebugPrivilege 396 msiexec.exe Token: SeAuditPrivilege 396 msiexec.exe Token: SeSystemEnvironmentPrivilege 396 msiexec.exe Token: SeChangeNotifyPrivilege 396 msiexec.exe Token: SeRemoteShutdownPrivilege 396 msiexec.exe Token: SeUndockPrivilege 396 msiexec.exe Token: SeSyncAgentPrivilege 396 msiexec.exe Token: SeEnableDelegationPrivilege 396 msiexec.exe Token: SeManageVolumePrivilege 396 msiexec.exe Token: SeImpersonatePrivilege 396 msiexec.exe Token: SeCreateGlobalPrivilege 396 msiexec.exe Token: SeBackupPrivilege 3196 vssvc.exe Token: SeRestorePrivilege 3196 vssvc.exe Token: SeAuditPrivilege 3196 vssvc.exe Token: SeBackupPrivilege 1224 msiexec.exe Token: SeRestorePrivilege 1224 msiexec.exe Token: SeRestorePrivilege 1224 msiexec.exe Token: SeTakeOwnershipPrivilege 1224 msiexec.exe Token: SeRestorePrivilege 1224 msiexec.exe Token: SeTakeOwnershipPrivilege 1224 msiexec.exe Token: SeRestorePrivilege 1224 msiexec.exe Token: SeTakeOwnershipPrivilege 1224 msiexec.exe Token: SeBackupPrivilege 1664 srtasks.exe Token: SeRestorePrivilege 1664 srtasks.exe Token: SeSecurityPrivilege 1664 srtasks.exe Token: SeTakeOwnershipPrivilege 1664 srtasks.exe Token: SeBackupPrivilege 1664 srtasks.exe Token: SeRestorePrivilege 1664 srtasks.exe Token: SeSecurityPrivilege 1664 srtasks.exe Token: SeTakeOwnershipPrivilege 1664 srtasks.exe Token: SeDebugPrivilege 1844 MSI9173.tmp Token: SeRestorePrivilege 1224 msiexec.exe Token: SeTakeOwnershipPrivilege 1224 msiexec.exe Token: SeRestorePrivilege 1224 msiexec.exe Token: SeTakeOwnershipPrivilege 1224 msiexec.exe Token: SeDebugPrivilege 4408 MSI9173.tmp -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 396 msiexec.exe 396 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1224 wrote to memory of 1664 1224 msiexec.exe 96 PID 1224 wrote to memory of 1664 1224 msiexec.exe 96 PID 1224 wrote to memory of 1844 1224 msiexec.exe 98 PID 1224 wrote to memory of 1844 1224 msiexec.exe 98 PID 1224 wrote to memory of 1844 1224 msiexec.exe 98 PID 1844 wrote to memory of 4408 1844 MSI9173.tmp 99 PID 1844 wrote to memory of 4408 1844 MSI9173.tmp 99 PID 1844 wrote to memory of 4408 1844 MSI9173.tmp 99 PID 1844 wrote to memory of 4408 1844 MSI9173.tmp 99 PID 1844 wrote to memory of 4408 1844 MSI9173.tmp 99 PID 1844 wrote to memory of 4408 1844 MSI9173.tmp 99 PID 1844 wrote to memory of 4408 1844 MSI9173.tmp 99 PID 1844 wrote to memory of 4408 1844 MSI9173.tmp 99 PID 1844 wrote to memory of 4408 1844 MSI9173.tmp 99 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSI9173.tmp -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSI9173.tmp
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8b70f3d86655835f7049ab38c44d7c51_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:396
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Windows\Installer\MSI9173.tmp"C:\Windows\Installer\MSI9173.tmp"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\Installer\MSI9173.tmp"C:\Windows\Installer\MSI9173.tmp"3⤵
- Accesses Microsoft Outlook profiles
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4408
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
663B
MD5dffee4972f7a2877f6886fda6e345aae
SHA1f3b2d2df5b7ef791e1132b10dd38120cfb977a70
SHA256f596dcfd9684be9bd1737d62610af783caa083e052244ad66c2c0f498ee03394
SHA51229d40c4de97fca9f1bfa7254874f41ad4841b3b0e9a2afb3145b981c270b14f7b794d69cce19b2a1c23ee304608d413bb03bc35b2fd24a7d97f6557d3f7a4c8b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3571316656-3665257725-2415531812-1000\0f5007522459c86e95ffcc62f32308f1_a47c70d8-7adc-4ad7-994f-644a8c84c176
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3571316656-3665257725-2415531812-1000\0f5007522459c86e95ffcc62f32308f1_a47c70d8-7adc-4ad7-994f-644a8c84c176
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
937KB
MD519b36f0c94238b00c6646276e8ff2f1e
SHA159a7bb1e0d7f027b03ec9564c3ccca707fad936a
SHA256fb4e984a7c215e035209fcd485be7051f13ad0ccc8eb3cc08d6e5c95012444ba
SHA512d44de256bab852afad797e7a8f1de7566670aeae8f5b17ae43e037e2fc7ca5321af404a8661e57bfceff3b0145f355abc08cc65c42e3a54a1e8b5f1eeee7f975
-
Filesize
23.7MB
MD5fc718c66b2e7fe6e238a866be87ea506
SHA109f958d6ec7929d61b3a02c45f82aa1f8e55de7f
SHA2569d3ede6648372f55eceb07118283c1bb73c8809f776d829b7223f909cd209742
SHA5127fec7e89407a38c58b4fe5731dd816932a1a5fc6381d0a112738cd4e467e9ca8f802aa76acc0c1d979af7a5d09a57f1e8b851b76cbe860b41f9ccdde224124eb
-
\??\Volume{b97e3c07-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{633e9505-4873-4ad9-8212-05f52d697d0b}_OnDiskSnapshotProp
Filesize6KB
MD5e19183d92d782df5e9502c7a41181c21
SHA1e287074d6c2f783032f71c6472122454a1236a48
SHA2564059436542b6ef41830aa27e938fd6a6ad165eea688d6c2ab7dba7ca21e88b36
SHA512a94570c8dcf4d3543ec37841554780dbc0dd01bace2739bd74bd4b5cab637aa0a3acfda2e0e7e72ebdf73777279e4d8961835a1ac7ffb303e9a79b61b4e42c4c