Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12/06/2024, 14:53

General

  • Target

    a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a10ef426cd0e1cb4bb8ce688a0017a25

  • SHA1

    11d5aef2860b4f2cfbd13591800b6a1ff90f2ca1

  • SHA256

    ec9e45fbf429dc5c5a12d05f7fba2e9f88031119eb037c66eb6dfa8678abb087

  • SHA512

    4e2f7ad4e9c3416150a2e7741db526db619e65dc2cde75d47c23ca632bdae001945363f048253ab8c006ec93f0977830c2ecd1b89b8a8099448f35943cbae4e2

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj67:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm56

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\SysWOW64\wmjvzsorub.exe
      wmjvzsorub.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\SysWOW64\hfewriix.exe
        C:\Windows\system32\hfewriix.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2588
    • C:\Windows\SysWOW64\awwqzrcsxxyjven.exe
      awwqzrcsxxyjven.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2760
    • C:\Windows\SysWOW64\hfewriix.exe
      hfewriix.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2716
    • C:\Windows\SysWOW64\knchyxyelnfoi.exe
      knchyxyelnfoi.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2868
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1352

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      bba2a1f97a4c8f6c647569f1b6199e50

      SHA1

      3ae3da7cc925afe734a0be587ad6efd90dbc8757

      SHA256

      8da658a86424c65383b68fbcf3cab66dade96b532e6e0b51f267f9b911437fa4

      SHA512

      76d96fd96b4c51d3de3c0fa7125c5436d7a97b8734d4c7cced2f07c43a85b19911990854a11d22f3d6b0d1388dd81ddd3ebcf0c432d5f64d001fbecca5db7468

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      b03ebef6415725f16e3d944f2cf13930

      SHA1

      8fc95e9c52c2286e3311fc6efb4533bb87266e46

      SHA256

      1953684471d027bf78205e08857e776e4490a1a7c929a84e7b93b0f00448af9a

      SHA512

      430d7199efff492792db3eb5251d89b19ec70fffb851a0bfb02fa1643691d0dfdd4b9a7d53b26208d4b5dee6871ab125164b9465b8febf4795d2a233c4afc04c

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      ff53e3583042d56128a1608d3be3c0b2

      SHA1

      74f63f57266e5da6a89c3d28f42e2091a3ecbfba

      SHA256

      13893aaaebd92281452a87db6f526325fd6dbc210fc8d527106286b069709489

      SHA512

      492712c71339982f11e1a7cbce2eb35f27d5824bbe37a03daf97a0de19cda37332ab18c8f84e2228741e5d9e3ffd7e72f28fbff335a3c16632e85b5c7ea59bfe

    • C:\Users\Admin\Desktop\SubmitEnter.doc.exe

      Filesize

      512KB

      MD5

      ff85b261a5e3b481efa8e1aed4d540ae

      SHA1

      49b8f485f6c712a6c28fbf80ce0154cad57ea6ab

      SHA256

      9eaaf394e249e87c06657a265c8e5c311e061d322404fcad338553b888eb98a0

      SHA512

      5397252b7c58d6a2e819a4bbf5c237cd1205a019fb4a2d04547c3f7ba5d7d598f3e258654b4fee99cc21d2c48b1cd52024022e34b3fa51456d031c0099ae4ff9

    • C:\Users\Admin\Documents\GrantJoin.doc.exe

      Filesize

      512KB

      MD5

      d058f321c55201f97c6c2ea869d3d48c

      SHA1

      7ae650825b421428f41749518d9edf34e3066c76

      SHA256

      d66dda50384f044fdad65a6dcdd82b8a567f3a9c1d1cc0d83a4af4d69cbfea4d

      SHA512

      3b60ad34e2ce94749cb6846979932bc64a943725cc7073e3010572c12b47449eaad4f9388fcc4bbbdf60c8bf7fb62fde530f83ba2bfed8383ac0b04ced6309f0

    • C:\Windows\SysWOW64\awwqzrcsxxyjven.exe

      Filesize

      512KB

      MD5

      29fdfcc20569d0c5d048da094304ae81

      SHA1

      de69322ce813fbeb5dc53795f4db41ebffd85613

      SHA256

      6eba07da16ea3d6387b0e1f0052668a030c0ca9b49c950d4b693991a58693de7

      SHA512

      2d4f1195bd82dfb67da8c567dba042be7a70c41840786f190fa8f7fb1890a8ab11eed3d5fd730e31382edceab579efb931105c33a33b1ea471e1ca16d09cdfa2

    • C:\Windows\SysWOW64\hfewriix.exe

      Filesize

      512KB

      MD5

      f6b554eaa2358a3b9e15aa7f65a7ff68

      SHA1

      f7ccf074e73455e8665373bc2676a83b12a6c29e

      SHA256

      d7a4803e71eacbcf7ddd8ce641434b8dc99074c88330abb65ae8e9b0bbd4f209

      SHA512

      ce3c87bc8a4d346fdba9ba27f09471f63f1948b007147448c6aaf9c53b5e0f3c8cd2fb4e1acf69d657732f490eff9535b20b2e43c743ff9e80e428b406ed5771

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \??\c:\Users\Admin\Downloads\SendShow.doc.exe

      Filesize

      512KB

      MD5

      422f3f2edc83d209ce79239fa399f291

      SHA1

      0a323a318a3d82bb3c0ffbc34e69067b50c0b7b6

      SHA256

      357204dba32d0d5ded10a0412091fb712adcf0731607c22e93afcd053ef3d098

      SHA512

      339f508b328cfd1ff19628e7f01d3959967178e155c299062096b231d7403d4d329ecab16298662d0eb60cb6193d9357bd49c96ab0454889c4e80b0fc6a96399

    • \Windows\SysWOW64\knchyxyelnfoi.exe

      Filesize

      512KB

      MD5

      640c7a3fab458b62a6c40b8b1c6eda67

      SHA1

      7ba4c5367bdb463eecf2c162c91f69ab504aeae7

      SHA256

      eda3c0820f646758e54df9b7d6e56a8cb9bea757489e1bc3d56f38bc60046385

      SHA512

      cff913f6fcf2c91f6f5f88ac50e493f68a18268f5abc216b6b89bfe54f0c8b2aacbb00b5233d57a928ba43f97184adfb9523b7debbf0a42f2fad7c9245a05049

    • \Windows\SysWOW64\wmjvzsorub.exe

      Filesize

      512KB

      MD5

      1c75428c98a908053f846c91f6bb3827

      SHA1

      d2fb438364abf4006e973eb6e2969bc7d6f11feb

      SHA256

      ed41819cb37c5507911a703c89ad9cda7c1d8b1f1a371fee0c34e72a40d71e49

      SHA512

      f8b9c75732712e5f95184f6e7fc65db405666e0fdea2758093f56b8cbb006861e6477b1cc29b2f378a8c651f8efd0add55b59910c4ab34531579d6131b9525e8

    • memory/1932-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2496-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2496-106-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB