Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23/06/2024, 22:35

General

  • Target

    031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe

  • Size

    564KB

  • MD5

    031b34370c6913ac54cbcbccac4a55c7

  • SHA1

    d0778c193dbf76cf93df3db1d5b51b136a02c9b1

  • SHA256

    939895d56ad30824b5c8dfbd70e36e35ead9ca0cbb987fcc322212d01de25700

  • SHA512

    6dec35c09395e06069ced9496561afcb9c09b5ad80b8ac16c3f3857ca11d7e071554970dde6894eac7cee5a42d63d62db996e027c579dc2dfe52ce05efa492ae

  • SSDEEP

    6144:G7KEGlVcJboOtGY8q75yKC2qJDrNRlpwPBYgZ9fVU93eJwN6QFbSpO4XcA2n4aAL:G7Kr3QboC9qLGKgZKe4HYpHvcbT

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • UAC bypass 3 TTPs 13 IoCs
  • Adds policy Run key to start application 2 TTPs 28 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Users\Admin\AppData\Local\Temp\tiovyrrldsy.exe
      "C:\Users\Admin\AppData\Local\Temp\tiovyrrldsy.exe" "c:\users\admin\appdata\local\temp\031b34370c6913ac54cbcbccac4a55c7_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1376
      • C:\Users\Admin\AppData\Local\Temp\jutbgs.exe
        "C:\Users\Admin\AppData\Local\Temp\jutbgs.exe" "-C:\Users\Admin\AppData\Local\Temp\vqzrgcphticwhtbz.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2964
      • C:\Users\Admin\AppData\Local\Temp\jutbgs.exe
        "C:\Users\Admin\AppData\Local\Temp\jutbgs.exe" "-C:\Users\Admin\AppData\Local\Temp\vqzrgcphticwhtbz.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2380
    • C:\Users\Admin\AppData\Local\Temp\tiovyrrldsy.exe
      "C:\Users\Admin\AppData\Local\Temp\tiovyrrldsy.exe" "c:\users\admin\appdata\local\temp\031b34370c6913ac54cbcbccac4a55c7_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\agaddkiliinsolendnsysvv.ada

    Filesize

    280B

    MD5

    df483996473a6718c2bb37a394d71936

    SHA1

    5dc3312178ff09d2032c96c6da48e93ce058892f

    SHA256

    20f030ce5223e537d8cc479c255e57a6c0dbc44fb0b23f45f18b1d1b573f81f9

    SHA512

    de274a86545c2305c315ce825bc35a4cb4a14e9bd92fbbb4707a1e33cb5419728108e64f17c290d89f11222a034651c2da3601cbcde9f698d5810ad0fa9af188

  • C:\Program Files (x86)\agaddkiliinsolendnsysvv.ada

    Filesize

    280B

    MD5

    4baa6819f1f9589ce90bf2eee49122a7

    SHA1

    4c57de943fa8d0217f5ecb90f9128ed75233e299

    SHA256

    8c201ba1c6c691624c75dccb89e43d559421b238d3fb2f6e96fadba7d3136d13

    SHA512

    bcbef982123cce800bf10838747f14ca9fa0380ecaf481bdae34d1caa052c44a8c135106eccdee5803b3440783620b0a53ee8909f6508454fabd34a756498d38

  • C:\Users\Admin\AppData\Local\agaddkiliinsolendnsysvv.ada

    Filesize

    280B

    MD5

    5e604153f4e56805e153ec4d280403bb

    SHA1

    90e39f67a9cab50afd4f41c4ed022b77ceb5d596

    SHA256

    04e8b5e56f987cabaddd894fff110c5ec5641a06cb8c467dc434253d08f610ea

    SHA512

    2f6d989a852638a26bca16f8ea61480664604b78969be6c8d1b10ba27170d996cb0bbe5d4994cd3dffbf1f4cdfc7f7c7b3f3a2a9738149fd42fbff10f141fa82

  • C:\Users\Admin\AppData\Local\agaddkiliinsolendnsysvv.ada

    Filesize

    280B

    MD5

    0ea21fc408ac52cbc3022f1923c48d8c

    SHA1

    cdbcf206aa4644b9960522731b6489e707dd8dfc

    SHA256

    4f76055596d5652a38bd6ef4c7d99a85307a4b72979f4047f3f296803bbe3fac

    SHA512

    a3865d7a3c5e4ad23e9e850af7e5da8fe6815012be6652b34dacb44649899c4ec33f9417ecb14cd7eedc5fd8ffc49761ca4c59a6e65d432c4d638886c063a05c

  • C:\Users\Admin\AppData\Local\agaddkiliinsolendnsysvv.ada

    Filesize

    280B

    MD5

    83eec3a67a302039412f35c90d529d7c

    SHA1

    8c5bc88452467991a74da93ec2b5b847850d7549

    SHA256

    bc3a22996be6f15554a4bf29ddf020b5a49b06460af8f59cbe3d6df12db96b1c

    SHA512

    59822b5181d115dfa1e203885c13426575db6bb42cc4a8163e331127623b568606998f3701625c9e8da7cb0ec840655c081d19bf8369fa01cf7aaa21371428d5

  • C:\Users\Admin\AppData\Local\agaddkiliinsolendnsysvv.ada

    Filesize

    280B

    MD5

    881aab93ad97cac29936c879a7fcac69

    SHA1

    e724913366f20c92a08ed20c69ab74b800d7380c

    SHA256

    2c9c061ba007428003928ec657aa3c827be6417a6460182a09e9d5d5e306bb75

    SHA512

    541984193beb4f9aa4af5f45ff99fce2e4aa7bf12fa063d61b5ec6cfd70c8d06da0fd4a90a87fc0b8569d65271a1894a3882f01da2c671f6daa1e1856da35faa

  • C:\Users\Admin\AppData\Local\agaddkiliinsolendnsysvv.ada

    Filesize

    280B

    MD5

    4321db089362efbaa55af7a8778b92b0

    SHA1

    c2fef3f8130d6f1b284f02e8f7940ed22e77ff36

    SHA256

    4e536bb40d2727707ec2cbc8f38372432eaf346779cde1a7c21e68746a143d26

    SHA512

    7a5558563e29f8ecdf383693d5abcd0ad2befc956c50a321e830587c8dca877dadaf6b49375ee4ed3c81f75d758192983c71e6986a3caf1d6e94f5f53b93ecff

  • C:\Users\Admin\AppData\Local\nejxiajxfqgwdlpjkfvmrfqirfnyoeltxr.ndu

    Filesize

    4KB

    MD5

    045840b107400df29459b8315fcd560e

    SHA1

    3112cfee7dd02b7e38c48ff61b09157a94e37911

    SHA256

    66ad72cc47c5c2f23c6f08057394b776960f273337dbd973d69a91e4fc68908f

    SHA512

    dc49e152c996f2b6e830f1ce8217f23f1f2985028ab761886d1f7741a65340a5f5baff8916136056b70bc307d2372f8d69802e52ffa0e4dd680cc77d2e27fefc

  • C:\Windows\SysWOW64\litnecrlzqmivjttab.exe

    Filesize

    564KB

    MD5

    031b34370c6913ac54cbcbccac4a55c7

    SHA1

    d0778c193dbf76cf93df3db1d5b51b136a02c9b1

    SHA256

    939895d56ad30824b5c8dfbd70e36e35ead9ca0cbb987fcc322212d01de25700

    SHA512

    6dec35c09395e06069ced9496561afcb9c09b5ad80b8ac16c3f3857ca11d7e071554970dde6894eac7cee5a42d63d62db996e027c579dc2dfe52ce05efa492ae

  • \Users\Admin\AppData\Local\Temp\jutbgs.exe

    Filesize

    720KB

    MD5

    a2f9cf358e110cd92de351f245f6176f

    SHA1

    b6b66b85fbe9f6bb7c1459bd173c0454cbdc454d

    SHA256

    b9b222700762c392beae582512df1d0468d1d247ed7075a8b35be3f7d7637e14

    SHA512

    eb93a3c958d87fa2a530e4e54d75caa3069b2f0de52b2096686a2e9cfffbb1a55665d0d3a32a176693547a1fb65601eb87d79022e911424ec0c29c58e623bb0d

  • \Users\Admin\AppData\Local\Temp\tiovyrrldsy.exe

    Filesize

    320KB

    MD5

    9f85776f207cb712552c7feb1a5a5c88

    SHA1

    e4aa69c1485198cbfdf431a62b545ac99920b4b6

    SHA256

    2d69ed157346f6920ddfe04aa3244f82d2e88abf13e628533243380c752ead53

    SHA512

    59f7b06f25b3c4c752973b1dbf3881fde09a4817df39399977863411201049ecf82fc140d97ee2bd48753c913c3ed8d9447cb1efdac2d366a93ace4f459cf7e1