Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    26/06/2024, 19:17

General

  • Target

    131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe

  • Size

    572KB

  • MD5

    131ff135d3cbadbe59f927d662f8dcdc

  • SHA1

    30e8e955a61cf6f197f1e58ae9e769ffc82279c6

  • SHA256

    fbd2e2e9a43788994e7bd9f0f34240668a79c841a8c919ee79b8fcc9fda93dad

  • SHA512

    c504a3a66012c9a12cfd86246456e191e81ca912f6f5b80ceb8b8d7e41df19904880869a0a7d1da73cfa71ba96d8088a885d10c184efa5a24248d87015066448

  • SSDEEP

    12288:D2iwn/ND7S3xI66S/H3UyKxWn2hJ+MRmhhh:D213Sed0Xjh

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • UAC bypass 3 TTPs 13 IoCs
  • Adds policy Run key to start application 2 TTPs 32 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
      "C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe" "c:\users\admin\appdata\local\temp\131ff135d3cbadbe59f927d662f8dcdc_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2004
      • C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe
        "C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe" "-C:\Users\Admin\AppData\Local\Temp\xqcsgzkfwhjhpcza.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2560
      • C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe
        "C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe" "-C:\Users\Admin\AppData\Local\Temp\xqcsgzkfwhjhpcza.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:1200
    • C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
      "C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe" "c:\users\admin\appdata\local\temp\131ff135d3cbadbe59f927d662f8dcdc_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\beaaybwbcxjrjgnyvrbeaa.bwb

    Filesize

    280B

    MD5

    fa7679fc986f3b8743fcb32d62349077

    SHA1

    3f2ba0fd400f63622c249325a711d7d069e6b926

    SHA256

    bff9d803f68f66f3564ca43668c5c5ecde7e2ed921eb3754016ad3d2e11ffcf6

    SHA512

    621fa88555ca6e19dbb813261dd72ed557fe859f54db235e4af6f840e30a019bfaa1123b420b89007e3c5111ec0b828b92639409fe79ffbd8007e9ccfe470253

  • C:\Program Files (x86)\beaaybwbcxjrjgnyvrbeaa.bwb

    Filesize

    280B

    MD5

    331d50340c595128d23d9e29fbfda68a

    SHA1

    453f848632a3efa4055ea7db33e4f2bbaff8dc68

    SHA256

    d0400258f76581167a87df317033f5d62ba98db36bdd8453d1edff7a0119d0d8

    SHA512

    eb37e1dafd4a87acd0a2e83c58bb173368fbc9bf3fe33eebd7d01e8f716a76ed996356e14a6292a5ae455123608164f11fe592609089ad3e2d01b85e73a3a0d5

  • C:\Program Files (x86)\beaaybwbcxjrjgnyvrbeaa.bwb

    Filesize

    280B

    MD5

    155c0ce1bfc541aca6f9cb920fe8e0f9

    SHA1

    fd0d80f8a50ac724fa0467ea94e215055c0a113a

    SHA256

    f0bf4d04a62be5c58d791b42cb5c26f6557ae85e932aa4e00f8ee3afc4e8f5e4

    SHA512

    bf568b1d05b7cb093f126d5017892816553bc326e44b5aecec72114cf210f5cdf5347757eeedbc49df70427f87c01cd48359b76a5486924bc1f35a2835a6e488

  • C:\Program Files (x86)\beaaybwbcxjrjgnyvrbeaa.bwb

    Filesize

    280B

    MD5

    9f7795f46862bb70238e4243a67cb540

    SHA1

    f6366928d70f9901c199f19aff856d75f7a4f166

    SHA256

    7034d5346b4e864991dce66000084766f53f8666dd26a01549981aa1af49fb6f

    SHA512

    a353e27388b97eb790fc23e88351a27ba932bfe90aa7a13693cacea97a9f1d43b48853bf07a25424df0abd4198b4bd65a9663501641a333fc1d3bc8e552af13b

  • C:\Users\Admin\AppData\Local\beaaybwbcxjrjgnyvrbeaa.bwb

    Filesize

    280B

    MD5

    6bea0347a7a7e2a83f82a68a03eb207b

    SHA1

    12295dc3c0c0a82e99163ea993fca2de6bd3889b

    SHA256

    b6ac9d56434ce75c38e889e34938c34709cd67a7f614e591e15bbf5cf68be7d9

    SHA512

    9dab5c69cbcc4bdc1dee90f422766ffe52f9f28836166bad0faa0a3b51ca9156a8daf6f1b72cab5e6216981bd8db1ab1ba5107bb3df32e1b8a79d3f3adfdc27e

  • C:\Users\Admin\AppData\Local\beaaybwbcxjrjgnyvrbeaa.bwb

    Filesize

    280B

    MD5

    4f18d2d463d4020fa417ff1961466841

    SHA1

    a4e0a48fbd920f650193723c86bd1378dd1dbb76

    SHA256

    5de41dc860d4a1a6c1d4b6b56b33fd0c067a1bd1729e44ab8f7adc06b8406824

    SHA512

    fc7bda6f82579af920f6c1a054981dface2c2c685b28ef6014a37cb54f4109184731069f5776296dbcfaaec2a074c88c12e0e0588694520e322952de41e04777

  • C:\Users\Admin\AppData\Local\beaaybwbcxjrjgnyvrbeaa.bwb

    Filesize

    280B

    MD5

    cdfc5d1a0cc9ecf05caebef5286176e0

    SHA1

    c122c852a2cd90ab5b4950a094ff3adbad068f32

    SHA256

    145714f0c5b772860d81d18450008cc5dbc6e2f2ea1d81c22441995a30a0398a

    SHA512

    711dc861e396763382119f64bbb202952da10080e3864c5aec02e3339b2e2932818f5ee74ca7b0b9018e27f2f16bcf3f07d113a95f15e61466f406ca85b47128

  • C:\Users\Admin\AppData\Local\sgnyhvbrdjgzckcygniwdoxlrhtzwpsas.wdy

    Filesize

    4KB

    MD5

    157f81d8a4448ba3f700ecfcd41116ab

    SHA1

    a149291385ddcf8179d26e2c8fdcb3847ba9165e

    SHA256

    8ef5ba774658efae5b42df4cd6b01b5c76f91bb2aa39d8e3479c0ae05d1221f1

    SHA512

    5c74fbd92aa0cd99352954af1fca5b986e7ec4086c538e68f86f297983045c854a5fbc60f11d4fe4adba3f9a1c18ec03ea1a7263a640c4f18825f55fab253990

  • C:\Windows\SysWOW64\niwoezmjcpttdsrujx.exe

    Filesize

    572KB

    MD5

    131ff135d3cbadbe59f927d662f8dcdc

    SHA1

    30e8e955a61cf6f197f1e58ae9e769ffc82279c6

    SHA256

    fbd2e2e9a43788994e7bd9f0f34240668a79c841a8c919ee79b8fcc9fda93dad

    SHA512

    c504a3a66012c9a12cfd86246456e191e81ca912f6f5b80ceb8b8d7e41df19904880869a0a7d1da73cfa71ba96d8088a885d10c184efa5a24248d87015066448

  • C:\sgnyhvbrdjg.bat

    Filesize

    504KB

    MD5

    ded93dada5a6ff36b4ee07e8c5224762

    SHA1

    755d8608cb7e092487570ddb435e8135c5eede6e

    SHA256

    5040c6970a5e3f8a0b08d7fe34ebc1a5ce3d70e22000176dd7b9703b2a131dc7

    SHA512

    f2f379aa49e21b534d7d7994fef0da4b764b6fd5aed9e592f24d016b6f7a66a8a68553fac639ec281f0af9db50fcd0ae9069da0ddadb2dc6c5f80f75b27d4fdd

  • \Users\Admin\AppData\Local\Temp\atwewsahkdg.exe

    Filesize

    320KB

    MD5

    8b7781277ff9baab32f9a7b0ae6b96fa

    SHA1

    c6a8e4d5f6e8ca73ad4b1edcdb4c1c2f2119cfe3

    SHA256

    0f67205bb9d5fa465993ffa257d6f38fb4ab5e4528e6910b4568867291ffb28e

    SHA512

    9f92d621889596515cb84b69331e8eafe1d5308901d225d75c86cc2da2ad2f7c590d6f857fab0a0811d9dc323363287f45ff5372b7c35361e43332fbc1103b33

  • \Users\Admin\AppData\Local\Temp\yilsxhj.exe

    Filesize

    720KB

    MD5

    c68fbba348e38db256b5e16afc0df078

    SHA1

    9c58a86589dda1aeb8d96e87fad050f6aba00e6b

    SHA256

    75b98bbecf31c011aa758ef6c1b4e1381cdc061ff1a06c95bbb2d139dca7588a

    SHA512

    2bb1a5630ddaf036ea7944ab4ba2058211c166f1c27c7198b1babf79f418adcbe23811eeae444f1ad1ebaea0964179170ea5ec7ae3605e40e64590fe0a3343c0