Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

a8feab2984...18.exe

windows7-x64

10

a8feab2984...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/06/2024, 09:36 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8feab29842ce3a2b6ebc097d4ae8328_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a8feab29842ce3a2b6ebc097d4ae8328

  • SHA1

    b2a06eb77a15007146b67358fc4e4bf7a66634ad

  • SHA256

    44e9795f74b21b510afba1766fadb368ae8fc907bc119cfd67dbc1ad41f2d169

  • SHA512

    f0cf22e21e684ae2a9316870ff7de2b805374f4dd1a23c08274404f2e0a75209cce7bade1ee6d5eb12f672b79e3b1c79cd33d8a5f610030e1e22f210c9122d57

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm58

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8feab29842ce3a2b6ebc097d4ae8328_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a8feab29842ce3a2b6ebc097d4ae8328_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\SysWOW64\yjutuvnzte.exe
      yjutuvnzte.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:912
      • C:\Windows\SysWOW64\uenyrgph.exe
        C:\Windows\system32\uenyrgph.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3708
    • C:\Windows\SysWOW64\digjnppjmbfimem.exe
      digjnppjmbfimem.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4776
    • C:\Windows\SysWOW64\uenyrgph.exe
      uenyrgph.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3008
    • C:\Windows\SysWOW64\bzvseupqvvhef.exe
      bzvseupqvvhef.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4240
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4972

Network

  • flag-us
    DNS
    roaming.officeapps.live.com
    WINWORD.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
  • flag-us
    DNS
    roaming.officeapps.live.com
    WINWORD.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
  • flag-us
    DNS
    roaming.officeapps.live.com
    WINWORD.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
  • flag-us
    DNS
    roaming.officeapps.live.com
    WINWORD.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
  • flag-us
    DNS
    roaming.officeapps.live.com
    WINWORD.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
  • flag-us
    DNS
    metadata.templates.cdn.office.net
    WINWORD.EXE
    Remote address:
    8.8.8.8:53
    Request
    metadata.templates.cdn.office.net
    IN A
  • flag-us
    DNS
    metadata.templates.cdn.office.net
    WINWORD.EXE
    Remote address:
    8.8.8.8:53
    Request
    metadata.templates.cdn.office.net
    IN A
  • flag-us
    DNS
    metadata.templates.cdn.office.net
    WINWORD.EXE
    Remote address:
    8.8.8.8:53
    Request
    metadata.templates.cdn.office.net
    IN A
  • flag-us
    DNS
    metadata.templates.cdn.office.net
    WINWORD.EXE
    Remote address:
    8.8.8.8:53
    Request
    metadata.templates.cdn.office.net
    IN A
  • flag-us
    DNS
    metadata.templates.cdn.office.net
    WINWORD.EXE
    Remote address:
    8.8.8.8:53
    Request
    metadata.templates.cdn.office.net
    IN A
No results found
  • 8.8.8.8:53
    roaming.officeapps.live.com
    dns
    WINWORD.EXE
    365 B
     5

    DNS Request

    roaming.officeapps.live.com

    DNS Request

    roaming.officeapps.live.com

    DNS Request

    roaming.officeapps.live.com

    DNS Request

    roaming.officeapps.live.com

    DNS Request

    roaming.officeapps.live.com

  • 8.8.8.8:53
    metadata.templates.cdn.office.net
    dns
    WINWORD.EXE
    395 B
     5

    DNS Request

    metadata.templates.cdn.office.net

    DNS Request

    metadata.templates.cdn.office.net

    DNS Request

    metadata.templates.cdn.office.net

    DNS Request

    metadata.templates.cdn.office.net

    DNS Request

    metadata.templates.cdn.office.net

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    453177af08686c8541f265d8d3df6f66

    SHA1

    e06c3cc720f4f4de26b49abd38d55400977ef9ab

    SHA256

    fde4666b82f5732a26b829fe510069f8db3c22467ab79e4194d2a8485c12de3a

    SHA512

    076d2a81ad6d663ec2d51cdb76e30b4fbd04fa47ce25e24785c6503cb6e32d422f0600612b192b18438fe1d9cd46e451a1ba0403fe59f756cd119b0d6d8e507e

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    327bfda0acd758e8b746c15a1097c333

    SHA1

    36f940e97703cc7a0a6004f3516435e604589865

    SHA256

    3f3b84ec90a234a17410db890ea4b612fd3d6c859417dbb1516eef927f623fff

    SHA512

    ccc11044060b30b3816158b0900d196528894015b8f569e7d96a1e9e372d0d12d84ba9b3f6c24648f7759efe795efd317ec06d2c546d61337a25b8563c746ee9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    82bcc5097ccb29065bb95eb4ce8089c2

    SHA1

    28e161520c3d4b5fed5a5a302670c0736347fb63

    SHA256

    d70dab7e0ed492298ddc281cf554c9213750e5ed728d42dac433a56cc921ce75

    SHA512

    3db0afef37a043e345948f30815adeedb30f56134ecf3e0a177550f2d94d96f21a8d7991d642f26980b232207c5ba7c99c47801fcd610dc1640e8021c4f3ed13

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    2067c68940bdb493807606560f0c52b1

    SHA1

    dcc9739013dee00f3d8ca1955ec4ce908d3f53a6

    SHA256

    f2046f113964fbf94cfa8cd147f7cf7a49e9425d1d76fbc292bbd3499d57444c

    SHA512

    5be292a694933dce275e55010f6c36d98301d73ad824875c9f8736fb2c9d0a928cd7ea1fd5fc90ea2ad013fe981b493389efc60ec0c6b174331e6c3bc6c4547d

    Download Submit

  • C:\Windows\SysWOW64\bzvseupqvvhef.exe
    Filesize

    512KB

    MD5

    0ba7bc400afa338a6443382d6a53dfd1

    SHA1

    f5fa4c5807cb244fbb07c1dfe640d13417b93053

    SHA256

    8058d514260412851f4acc183115cd0efc65216ae6adcea629272f5b690ba143

    SHA512

    91a68a3cedacd85c202751976fe35a9cac3575ce85998b9e75727881b40470108bdcfe0e226b3ab8aade996c5bc6a2b6ebb206d0beb5d499aa47e751a4b6aee6

    Download Submit

  • C:\Windows\SysWOW64\digjnppjmbfimem.exe
    Filesize

    512KB

    MD5

    96cc30fe2f4d7d7746f96ea523d690d1

    SHA1

    ce2a49c5ed25d078c71b11f6e8aa1a0f6453af82

    SHA256

    0199b5110fb2542a24fddc7b2857ec5f0534fa563e88d6758e35173abb7f81c5

    SHA512

    0638232f5dd1dc3b8d79fb9bcea8f2ef2695b033cb8324499a160f4bfd40bb1facbcfcdb82efd030f9806ae56e923719981bc3ebc2bf396a7594d2e2afbb00a6

    Download Submit

  • C:\Windows\SysWOW64\uenyrgph.exe
    Filesize

    512KB

    MD5

    01036d3e4d246e336242ff6a5826bc8b

    SHA1

    3eeca4a3977b9e7a4f287fae9f5ce8cd68be3ff7

    SHA256

    d5e3dad183fe4566c0ed00961e43d4f60f463c5c328c4973bd17c3e032746dad

    SHA512

    2170ba32df4897fa4ab2b10faf18037079291c15c3b1ecf0d364aebed19e53624f3a38ef2a6261991f97bc5a6c92dcb0aecb1347cd3d8aefffb764b0913dc0e0

    Download Submit

  • C:\Windows\SysWOW64\yjutuvnzte.exe
    Filesize

    512KB

    MD5

    854e37dc2818c13d2bf4c27c92b0fbeb

    SHA1

    fc3b3858aef98ffb0b53d3932d7c0d2c6ec04f6c

    SHA256

    5ab23dc7fd4355ab97b5dcaaa60f4adc68a54307fbda79386551970ee474db1e

    SHA512

    f98070d1db9ca651c48ef076d5a6276854149348bb609efa82b9252ee40078628a316d1e0ce44f4f8d1a715592d8cd8a84a91acd66d51a615c0369c73b1c9868

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    217810d52c89876b0d9a62ac61c9c40e

    SHA1

    ce670de28990dd580adc3ebee95df6d0309d89d5

    SHA256

    a1169a4ebb5667c20fca3fd23010f66d3cbae608afccca10a9fbec978cb332cd

    SHA512

    30dc9fd15fe2f8c630a7971e5971344727c4dcc75380e0c18052a5be55cb3db59f0f4b6014255f5117a60b8690689960bf4541d71ce811fbf6f31f052e8182d2

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    a730ef186d71999b3448a022bcfeb249

    SHA1

    4535faba43e7b7f6d7c26b8df5aead0275359908

    SHA256

    82829be025bda1a1c0c5b783beba7df8106bccd17d97176d27dad8217697d360

    SHA512

    1cdc1900e329c8daf6bb5d655684daa54171e69037740bbe57377a5595e3091fe7d61ee38fac9354fa1c7e7e8e60382a9d8fbeaedb9d4e80e6f850c64b8db0f7

    Download Submit

  • memory/2156-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4972-35-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-36-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-38-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-40-0x00007FFC77820000-0x00007FFC77830000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-39-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-41-0x00007FFC77820000-0x00007FFC77830000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-37-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-111-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-112-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-110-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-113-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.