Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

031b34370c...18.exe

windows7-x64

10

031b34370c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/06/2024, 22:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe

  • Size

    564KB

  • MD5

    031b34370c6913ac54cbcbccac4a55c7

  • SHA1

    d0778c193dbf76cf93df3db1d5b51b136a02c9b1

  • SHA256

    939895d56ad30824b5c8dfbd70e36e35ead9ca0cbb987fcc322212d01de25700

  • SHA512

    6dec35c09395e06069ced9496561afcb9c09b5ad80b8ac16c3f3857ca11d7e071554970dde6894eac7cee5a42d63d62db996e027c579dc2dfe52ce05efa492ae

  • SSDEEP

    6144:G7KEGlVcJboOtGY8q75yKC2qJDrNRlpwPBYgZ9fVU93eJwN6QFbSpO4XcA2n4aAL:G7Kr3QboC9qLGKgZKe4HYpHvcbT

Score
10/10
defense_evasionevasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 29 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
    defense_evasion
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Looks up external IP address via web service 8 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 41 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe
      "C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe" "c:\users\admin\appdata\local\temp\031b34370c6913ac54cbcbccac4a55c7_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4560
      • C:\Users\Admin\AppData\Local\Temp\cbkkx.exe
        "C:\Users\Admin\AppData\Local\Temp\cbkkx.exe" "-C:\Users\Admin\AppData\Local\Temp\zjdomyrgrjhsicrw.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:4196
      • C:\Users\Admin\AppData\Local\Temp\cbkkx.exe
        "C:\Users\Admin\AppData\Local\Temp\cbkkx.exe" "-C:\Users\Admin\AppData\Local\Temp\zjdomyrgrjhsicrw.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2084
    • C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe
      "C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe" "c:\users\admin\appdata\local\temp\031b34370c6913ac54cbcbccac4a55c7_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2988
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4248,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:8
    1⤵
      PID:2444

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Replication Through Removable Media

    1
    T1091

    Execution

    Persistence

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Safe Mode Boot

    1
    T1562.009

    Modify Registry

    5
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Replication Through Removable Media

    1
    T1091

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\mjqozyegejusvcewpkolsqbag.glw
      Filesize

      280B

      MD5

      9b874ea98058aac596d8dc3dbced32e4

      SHA1

      ce4c3c0d4ee915b9658c70d41e398251390b7828

      SHA256

      e412f8985f09ade6433586d34165f3d6d0cb1e6c14627c3fac098d67511ef953

      SHA512

      ca0c4a440d486ef444dfd2a395df8daefe926dc4a4928611f33608f5af2b040f3572c3f51574650393f9d0387c16aa4422cee9b299b5236e7ea05aad8adc7f06

      Download Submit

    • C:\Program Files (x86)\mjqozyegejusvcewpkolsqbag.glw
      Filesize

      280B

      MD5

      3f74214a1a62852ad025226f5ed496c5

      SHA1

      401b5b1e052c69102d9e0bce7d4b3df16127bec1

      SHA256

      a6186eb2213b5e5f34589e240312b5158b1f09f4ea4a899577c10d459780a4d6

      SHA512

      a73477c5671af56f6874e7ff03f82f32d674857ea3ab00001d84f5eaf2bb11ad45a392eb96b2fdf9090ed9acdb0b1a30aa79211b2ce786d18446562a916906bc

      Download Submit

    • C:\Program Files (x86)\mjqozyegejusvcewpkolsqbag.glw
      Filesize

      280B

      MD5

      76d36c0d8ed4e038590e61090ed27f6b

      SHA1

      95473641bf673ed7369bf43d1e8053b43205b783

      SHA256

      438a53f483aedecaa4e581e2c137002854f65561d8f977297e96f9aa87e6121a

      SHA512

      27df5a23c47da958e7db460680b552cedc93e48d8690000ecb86aa4dcd0fee00b471cabc620ebd65bf07d19c9d540b6595a062a643da91e50014d2cd613790c6

      Download Submit

    • C:\Program Files (x86)\mjqozyegejusvcewpkolsqbag.glw
      Filesize

      280B

      MD5

      9381f1e8b69bc08239545d0237bed499

      SHA1

      44708e7c3e90112c71d48019455dd0ea78dc010e

      SHA256

      0815a1ba2e275e469fce5cb5dae326da6b3851561028ad97174e836a90d08db2

      SHA512

      be8cf18a19434624d407875d8aad6807bfe297c9f1293cec37d9a96e7e0f281d549fe13f00a1d621756e69d0a0281faf351a2499c23c529abb01c59169200c88

      Download Submit

    • C:\Program Files (x86)\mjqozyegejusvcewpkolsqbag.glw
      Filesize

      280B

      MD5

      17d6b73805861f30ecb5bd2c2f32771e

      SHA1

      8204c410cb0a8622b020f346032281dbcc7bc783

      SHA256

      a391aca3336c0eac2c4c667ed5903e6f45f5b54426cc3130c0b25e7e868d1d54

      SHA512

      bdaa48fdc45c7216d6d3f50260a54c23bf924b63631f388c14f9dae9a1bd85d046ac421405e9b29796d5dbe625c9821f85da1e67c243082b8ab565cd69439cb7

      Download Submit

    • C:\Program Files (x86)\mjqozyegejusvcewpkolsqbag.glw
      Filesize

      280B

      MD5

      063f9deea0c32b81116a58554a9ec017

      SHA1

      94089a831a23a498868aa131c068a5860f42c248

      SHA256

      11f7f9bb13dc39b038ff527253f8bbd1f9e1735b3dd0f9ee6a0ddf66d9bf0192

      SHA512

      a036ffa49558b8307541bbc455f60b1954f9c16df3dea809013b1ccdb9f64a9857483a2f4cb1349294f13cadc1d5543d5fb0992dc63309d1c9e1e3cb672b1fae

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cbkkx.exe
      Filesize

      724KB

      MD5

      e57964eb7593898ff389d9afa5fa5980

      SHA1

      f6399e7d2612ab411a6caad5dee676cf5109a6f6

      SHA256

      71fb1fa5da330100a2a4725f2af44254c4ddc4f1e2c3115cb963a3d5c729bb1c

      SHA512

      8af3be3e75831e5e2b6c1a0b75403e96af90565942bafac0e67cfd482cd4b3f26e572b260163d85ed1da0975ef992f6c5964eb3c16eaad60af166e19450587e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe
      Filesize

      320KB

      MD5

      1d38298ec1748d8b73cab9166bb13149

      SHA1

      f341a5ff0ef23fde83e121383153612628bb536a

      SHA256

      535fa600cbf2dfcec10a805863d851908d708319c8d8700babe427d7bfc6137d

      SHA512

      721c3c7025e9b322bf046940ecb99a145f4644980fe8c6a09bdb182b655bd10652619aa87c2466bfa51d29270a0b57305231fc4b82a7c8218f03137acc062130

      Download Submit

    • C:\Users\Admin\AppData\Local\mjqozyegejusvcewpkolsqbag.glw
      Filesize

      280B

      MD5

      c6170cf65c454e1b666bf66c7aae51b6

      SHA1

      a804ca6ac1d9be2db68f2d42bffc0c5575201134

      SHA256

      533934156ded2e469c22d4d0219ff3ae436b1d713dde247d1511e702ae208c35

      SHA512

      f04abce6c43ba773b8d44d0e1ce264d0eba2f892e1dc08a565894ad7640cd867349344cc1e8c93cc3321958c9bbee5c00db48cd1d88e3e650cfa5af6ec3cdfb8

      Download Submit

    • C:\Users\Admin\AppData\Local\rzrawgxktjfocuhkoujrjsoypclbxgumzcgm.jbk
      Filesize

      4KB

      MD5

      e0a1555ab015c863827dd9428f2620ee

      SHA1

      df34dcc41c1e43a8dcc92b0d02726ece1ea4d08a

      SHA256

      2f05f31b6fc4bde8ef5533650dcd83c81ffee833e9236f00575ff45634f75ac4

      SHA512

      85e5b068485a971c4ff07f6d7f27545aecc8407a17f7f0a0a8e82954f3e9262c0da21a523757cfdc4ff9dafebc6e0db9e995474ca5d3571071b37d389c2796ec

      Download Submit

    • C:\Windows\SysWOW64\pbxkkytkxrrewsjqyi.exe
      Filesize

      564KB

      MD5

      031b34370c6913ac54cbcbccac4a55c7

      SHA1

      d0778c193dbf76cf93df3db1d5b51b136a02c9b1

      SHA256

      939895d56ad30824b5c8dfbd70e36e35ead9ca0cbb987fcc322212d01de25700

      SHA512

      6dec35c09395e06069ced9496561afcb9c09b5ad80b8ac16c3f3857ca11d7e071554970dde6894eac7cee5a42d63d62db996e027c579dc2dfe52ce05efa492ae

      Download Submit