Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    05/06/2024, 15:34

General

  • Target

    9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    9882a7793f1df74d04833e184e918ee8

  • SHA1

    0229a6047afd94d9f430aabe34819d5b0503875d

  • SHA256

    7ebcad2de5fdb7161d1cb60f8503bc43a5cdebc06716e1a639fbddd283c7372c

  • SHA512

    e05e0dc8d8716f54b3271da83677c2296a206e6b807b928506906a3919c812ccd8674df216b118629012b6be91e16cde82269b6e82ef07e64ab98341ab065cb3

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6i:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5V

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9882a7793f1df74d04833e184e918ee8_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Windows\SysWOW64\vlqgqqyite.exe
      vlqgqqyite.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\SysWOW64\odwwioim.exe
        C:\Windows\system32\odwwioim.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2504
    • C:\Windows\SysWOW64\rdryzpgjddjjinf.exe
      rdryzpgjddjjinf.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2656
    • C:\Windows\SysWOW64\odwwioim.exe
      odwwioim.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2660
    • C:\Windows\SysWOW64\kblhdzdvprdhy.exe
      kblhdzdvprdhy.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2756
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1344

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      60b78f276d69a6c2ca70dc99ce22bcd3

      SHA1

      f6f5a53ad643c10bedd853ca27571d831df5380c

      SHA256

      3f0a29afbaf347ade47096d2fe00d6062cef40f4f15029822fb882ab342be047

      SHA512

      d0ed96669a065924cd344e3c833df58a41735792c868128f127f779de7d6305983df69ac989244f7684aaa6895591821f02b70187ce2cb6c9ff8e73d029afd84

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      69a3ecadaa7233a290e78c3b160420ea

      SHA1

      84c5f4111107472deab657b0dcf3b9c621ca212e

      SHA256

      881ee4c585e1775aeb658ed8ea551612c0262e8c1bc761020823fada16a8d381

      SHA512

      ac8c99bafbec7a195b181cefb60f9b740ec66c2e99a80a83d1b3056161d3834d63879250c7383d72389244a384caa95466575140a20a7d1185791f31d235c60c

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      68B

      MD5

      949e055c19257898b6c993bd6186909b

      SHA1

      b9eb54ded156e3a3071c28a6bf8fb5b986c7132a

      SHA256

      f9d360ed13a62558a3bc3cafb085730470b3411ee988d62c1a2b1862069f45e2

      SHA512

      61e0fcd741e3b1f466e6f84d5501d6252002cf1cb02ee3d67141b8fc0be34a0fd6f678f79bf951d6d08c0d005fa78107471d59021274257aafca07638189ac15

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      9457a14998dba331cd82d490edea30f2

      SHA1

      6a113131cec92e3cb77a2cfade7160ef95911c36

      SHA256

      f8ffbf2c5c7dd46bf0165a7f43f713e6a785914679d6ce2118e4afa9c5f18292

      SHA512

      78254087ddac5656236990875ab2f2f63a2e2337bf528732b96f4ab443955975b45a54b57c8ed62a4494bcae4433c4fbd804c6723d6cff9f21da24b7c6cc5889

    • C:\Users\Admin\AppData\Roaming\UnregisterUnlock.doc.exe

      Filesize

      512KB

      MD5

      c8e6cf79514ff82050857ad5d915a26a

      SHA1

      ff4990a2a64d1b02938ea5abd525784eab2aff09

      SHA256

      b842f4d67deedf06af0d2d6409a5a97e2f4fa33abf8c75287b98d33ced88f93c

      SHA512

      92eb7288ef5e8456fa1509b1b093f1c0c06ec990cdb7bc3ddfaf2dc2f578c5deff713c9c88d5e9fc3a453af71610169a522dbea596368af8664f3d2c4b3ed992

    • C:\Windows\SysWOW64\rdryzpgjddjjinf.exe

      Filesize

      512KB

      MD5

      c69d503476a4f56224bb94d220776682

      SHA1

      8f8f9a45b66c360efe082973b3c380be04cc4808

      SHA256

      3d9c8989dfac40a8d104e85cb8850206fab84912f3c5f49bc0e2f01789c1053c

      SHA512

      270ab13d4677e7904c253c85282e0974f8d91602c31715e227949f66d256b19952f50b61b1a7947449fab85da657a606bc06879d115a7e529a45113367413ca9

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\kblhdzdvprdhy.exe

      Filesize

      512KB

      MD5

      a8d5ec1e99e3129ce71ec9651d54de9e

      SHA1

      0fa92dcc4cde0bd12b3a5d340a3439e5881b3368

      SHA256

      bf59dd1f43ad4967c6060f87e39ad7308004bd9989843a3439866557beeac63b

      SHA512

      aac23dab84543f429cf4e76257e8c4ba327d2a6a2c21b94063b4b8e5405db1f33199d71e0944e5f2308771fc4b856a2507aeb8aa9bdf053063b7b20bce68a5f2

    • \Windows\SysWOW64\odwwioim.exe

      Filesize

      512KB

      MD5

      7f62b750b3c027437f70b3f08998a4a5

      SHA1

      89651a8258aaf8b379c2b7497092647621129fb0

      SHA256

      fad5cf49f5f9fb452353878e6316035bbeb2ae38762535fb3fdd48fdeddb0209

      SHA512

      1046d4c65d390c2a7da564a4a2f6f0c15c120534e635671fedd515620187ff178b3a3bd569d48ddb9f01e500db46643d45a85181259abb6f6133e8d297b7fb62

    • \Windows\SysWOW64\vlqgqqyite.exe

      Filesize

      512KB

      MD5

      4926b45b6ad26e10fa653869005ab9d3

      SHA1

      54bed77ab03385299dede422b81e133c10bc50a6

      SHA256

      42b80fd6f20e079f2bffaf5e47f542851b959cd6aedb856a756e1de2bb3711a9

      SHA512

      4aeb92e7b9c929d781e6ba38bd4a66a90f390bc824e258ee1db7fc5f475100f5d3de66924f9dad55377d4e080e9c5090c494ff6c158b690fe95a1c41e92252f1

    • memory/2472-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2472-111-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/3000-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB