Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17/06/2024, 07:51

General

  • Target

    b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    b77c8b39957fbd5ea7a975a087b023f4

  • SHA1

    8c79340d37de7a470fceefdfb67c44cb02921c1e

  • SHA256

    a9bebb9e46144414c65aa8d75f557e983e20824570cf68aa3f74f3e98fdea859

  • SHA512

    254357c3a85a19cd23f3e1e88b87ead7386ac51a1d16334e1f6637167f31a8a537412f8fe73dddffcfe98d1f139fdceecfc988fca4bf0b4acf7a7fdf29d0acd0

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6L:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm50

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 49 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b77c8b39957fbd5ea7a975a087b023f4_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\SysWOW64\zeddrpedgb.exe
      zeddrpedgb.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Windows\SysWOW64\kpdiotua.exe
        C:\Windows\system32\kpdiotua.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2436
    • C:\Windows\SysWOW64\fqjyucwglmyeyci.exe
      fqjyucwglmyeyci.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1692
    • C:\Windows\SysWOW64\kpdiotua.exe
      kpdiotua.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3060
    • C:\Windows\SysWOW64\zhgbjhhjpocnc.exe
      zhgbjhhjpocnc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2628
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1800
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1608
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    2579ff5fb2b5d1f3a18dc34904930133

    SHA1

    e6a8a99c56dfe86c5fa5a4c4e3c44cfac7547691

    SHA256

    1268d3074b0e1ce5fb3a2136469aa492188dd1f1e4e666a7d9ef5c7a8baa0058

    SHA512

    3af4a2826e085c0d951e51d124f8d0222018eb833e08c34509eb7735e0d0920acb7b8c7f6271be50d7291d0af724ff6b929a3dc9e115fe43bbe3c5bd6f25d29f

  • C:\Users\Admin\Downloads\CopyImport.doc.exe

    Filesize

    512KB

    MD5

    60d8cedf949f22c1e0f5e00a64fd0d73

    SHA1

    16765bae0f16f406e9f3ec6c1a4ede5b1c0d8925

    SHA256

    cd775f29fd79c592833290ce010e17ed9dbe725622551731502a61082b0cb6c4

    SHA512

    52485f2ef7d3adf4cdc0c89cc4dfe0be71c05f5b5b72e9fd382ff7f00ee15949a396317c362e09c9bd509dcf73cd3cf68bd06cf5cab391b666cfca275c9beba1

  • C:\Windows\SysWOW64\fqjyucwglmyeyci.exe

    Filesize

    512KB

    MD5

    043d9940c6c1f2159ff03731c04dfb2d

    SHA1

    6b541131d64b091af7ee98c2950c5f6570a2dac0

    SHA256

    90fd3574fa1f7ef34541ecfcfef24c34c9e8de0891df610dd430852c431b23d0

    SHA512

    ccc7a5bd1a0a6c2131cb600c4c34d00a1e5b738c9fddadc31186750bc11d27b143c6fdf5989855630f544271f32ef773b99af3277af8f2021fa5a7ca78bbf01e

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \Windows\SysWOW64\kpdiotua.exe

    Filesize

    512KB

    MD5

    3c6dd42703e52ac44f6c27d3884f3d21

    SHA1

    ed6cc7f3f0e489797d85e2a7513907793cd52567

    SHA256

    bf10edca1c4a82890c7c210744694188c0316f01dd67fc31ec8888a31572f802

    SHA512

    ca84cfd1b1450c23f98f46d591a777ec2b87d3d20b54129ff70c870191fa42e3b7a8ba502ad345fc412c03cac6807b62add2588dc971c6ad3a148cf49701f089

  • \Windows\SysWOW64\zeddrpedgb.exe

    Filesize

    512KB

    MD5

    387fa58e31de04a621e39393fac127bc

    SHA1

    16dfe91aef608cd18f91e9fab6161db110474487

    SHA256

    b1edbcc449f3c5031a5b5bdd86f2251eb1c295233407a663c516a63e0a77e8c6

    SHA512

    bdc7b443bda7a65c78cfb2928e3a415315ca1767edfdb1bd316a1a171bd2e6ca635009037117f816cb3901b1ae2fcd3f3ac5c6944a2ae1ac9b3689e9158638de

  • \Windows\SysWOW64\zhgbjhhjpocnc.exe

    Filesize

    512KB

    MD5

    b4f727983ecf434f76ff0ef35961afce

    SHA1

    1417299ffcdd1e81d9b9260a69e71212f61d90d0

    SHA256

    4a8bdc21b7c8fe90322db1a8f40e678a351bff045ae9f3f8673bad0ca3348bae

    SHA512

    b76211440b49182385719a547abcd8930a5a118721c9ff87d4e28fae3f75db05ee95610d570b9d8cfe29a08c2640ce5adaa6733231b63f9bd3815b57152ed5c1

  • memory/1800-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2264-84-0x0000000002960000-0x0000000002970000-memory.dmp

    Filesize

    64KB

  • memory/2512-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB