Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    27/06/2024, 00:20

General

  • Target

    1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe

  • Size

    496KB

  • MD5

    1402edfdcc8d1c5f9ec36eba012a8d37

  • SHA1

    cfbe8acbaec2676015c7105032d1da134f31c1ab

  • SHA256

    96c5aeea64be8ac8173f07a0f8c7d252a83eb2fad215160f36078829856c0def

  • SHA512

    a9baa0af65f8c3893673becc7235a3641ba4db0ac850a120431d85c38768dd10ceeb2becc7b9983088b5c65fa644f9b2b1f72b03ab4893518b1e23263d0856d9

  • SSDEEP

    6144:aKEGlVcJboOtGY8q75yKC2qJDrNRlpwPBYgZ9fVU93eJwN6QFbSpO4XcA2n4aA8:aKr3QboC9qLGKgZKe4HYpHvcbT

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • UAC bypass 3 TTPs 13 IoCs
  • Adds policy Run key to start application 2 TTPs 29 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
      "C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe" "c:\users\admin\appdata\local\temp\1402edfdcc8d1c5f9ec36eba012a8d37_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2812
      • C:\Users\Admin\AppData\Local\Temp\loaamr.exe
        "C:\Users\Admin\AppData\Local\Temp\loaamr.exe" "-C:\Users\Admin\AppData\Local\Temp\xkgqmblisagxtlbx.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2508
      • C:\Users\Admin\AppData\Local\Temp\loaamr.exe
        "C:\Users\Admin\AppData\Local\Temp\loaamr.exe" "-C:\Users\Admin\AppData\Local\Temp\xkgqmblisagxtlbx.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2660
    • C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
      "C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe" "c:\users\admin\appdata\local\temp\1402edfdcc8d1c5f9ec36eba012a8d37_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:1652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\femiqrnwsmehptvdqnmuqyzv.aum

    Filesize

    280B

    MD5

    87a1b9c2fb7e43b4706a4e3e180c1788

    SHA1

    cd8cc6e6bf2f8654159df4169e9db5ce82a668f9

    SHA256

    c130c2220b2d90625716cbfdfdb27baab0cc8ccc74925839ef9f0c85805b54cb

    SHA512

    adedd4c81a6fceb586e437a1c434b260bb2c496939237c5b696e1134bd769a32680289d54ebad0d2b94ccce234fce36932787b871224a8778506f131b6cd3dbd

  • C:\Program Files (x86)\femiqrnwsmehptvdqnmuqyzv.aum

    Filesize

    280B

    MD5

    a7df3efdf40341d4172f6c8cd21af5ee

    SHA1

    8d43ca8ad69f37c73cf498fba1d4fd8e70aec663

    SHA256

    c08002f040016dfdafd0d748ea1c417cd2d006d56f39ef4740a93d692f0aaf84

    SHA512

    5100279717f98e8cbb4c1edd4d360aa4c259f2713afc1c1181bb35c359bfc18c055aa93d4a5c8b0e388b4446375e0bc3a8d8488ddef6e1c4d6225090e81d7b6c

  • C:\Program Files (x86)\femiqrnwsmehptvdqnmuqyzv.aum

    Filesize

    280B

    MD5

    f9b3d857c2357e90300fb60160c28bf4

    SHA1

    138380cb9f082ae45589d9bb4bca81d8e8ba92ac

    SHA256

    96c9e21c6a15d315470149661358aaa160396546db464315a01e43d61fa1de91

    SHA512

    f140997aed45b39b84cf1a6fdf54cc1e3f6dd2e3a28d22426f13c80e813526b58d77dbb1988068faecade53c54b58c7b5382da08371c2711257a6f895dcf9304

  • C:\Program Files (x86)\femiqrnwsmehptvdqnmuqyzv.aum

    Filesize

    280B

    MD5

    1a5fd6f8b48ac7a56adffc534ec411a0

    SHA1

    b2b544c3c3c494b52a5a97666d68cd57f4f883a9

    SHA256

    e57539b17ada985918b11fccc7dbd5e61bdd5b426962fc56e674a7f265ed81d5

    SHA512

    730044355b293294ce1f5e303d4463675cbc34e4ced7cac1e12f3e9f6dceaaa98d728aec081b49cc40e4b8aa6709d4dc765cda9f14941c1e95f1add00719961a

  • C:\Users\Admin\AppData\Local\femiqrnwsmehptvdqnmuqyzv.aum

    Filesize

    280B

    MD5

    d248acdb9149d1d5535de002eec46e84

    SHA1

    5ab2be1e0beedfd64bebc04e186c09551388013a

    SHA256

    43c01c062d2362cb26cdf0a55ec61ebcd116f3a9d0487448dfcbdd19cc921966

    SHA512

    58ff2aeff614602761377c70ec0671c4fb49d6ee88af25f05c81ee9dc805ff375e4bd632f93836fcb60500b33479a23c74d2a743ab5849497c3a9ceb18755834

  • C:\Users\Admin\AppData\Local\femiqrnwsmehptvdqnmuqyzv.aum

    Filesize

    280B

    MD5

    f5593508bf59de9ab7ba2c6288bd1f1b

    SHA1

    af92de2ad116660441caab8182744dbd3345897d

    SHA256

    3a1d5c09d3311bb72823ff1e0a470f839d7a6c135c8aa325105ec4b064a024c1

    SHA512

    41cc3433d6dc1b93382ba6182aba780d6d9c91b701c4f86e357dcd0b7e0e0577b6ec0574bfb7c7b08a626cec994b1923a17f6a5a1cb1fc53ed4dcec7f024fbc2

  • C:\Users\Admin\AppData\Local\femiqrnwsmehptvdqnmuqyzv.aum

    Filesize

    280B

    MD5

    b7429e737babd07b475ab65dc0442b4e

    SHA1

    69b6b39bafc9396fd0615a754ff1c81779822250

    SHA256

    63c34bedfde8f3d3a2c03f70dd2486cc54a63b4f4ebfa45aae0a53395138e285

    SHA512

    4782a6c18c2575a4e73cd029d0b48dda6a332034b54ce46ca29cfb74e915668b9c22d5886c0362016e9b88a988cb62bc51a3fcee957fc010c63a6d7c6d45ecc6

  • C:\Users\Admin\AppData\Local\femiqrnwsmehptvdqnmuqyzv.aum

    Filesize

    280B

    MD5

    d8000634ff1f272ff1ce7f911616cc17

    SHA1

    3b86cc0de072811f50c7f8dadbb065afc83d647f

    SHA256

    e3f23a246ca6278ae192c3b85124939afa4ff32aa48452372214133426cca213

    SHA512

    e2315ff1d62e1258c82836305cbdb6a9e517366f696193a929f96b3fd6c8e4f186a5dc7363c01da08a14791ff0cb1c8a619120973e384dfaeb27be4ebdb53031

  • C:\Users\Admin\AppData\Local\oyryrdkelqthapcvtbleleqxrydguncpigo.ryr

    Filesize

    4KB

    MD5

    181b1fb739fa1a8878a324bfdd5fa015

    SHA1

    08dac393714225c2843386c41ecd697c0fec2103

    SHA256

    343b71aba8083c9c46e8425f40d21a924a1c9437cfe99ef78795251e6faa48dd

    SHA512

    d0f663ff033bfd456b2eebe7a1e57bc7466047c482288338ce38c6e804cd3c7ae6c7f3e6b38ca735f7698fc872104cc428349bf9b8e52f33d131d866995190a4

  • C:\Windows\SysWOW64\ncamkbnmyiqjhbtruh.exe

    Filesize

    496KB

    MD5

    1402edfdcc8d1c5f9ec36eba012a8d37

    SHA1

    cfbe8acbaec2676015c7105032d1da134f31c1ab

    SHA256

    96c5aeea64be8ac8173f07a0f8c7d252a83eb2fad215160f36078829856c0def

    SHA512

    a9baa0af65f8c3893673becc7235a3641ba4db0ac850a120431d85c38768dd10ceeb2becc7b9983088b5c65fa644f9b2b1f72b03ab4893518b1e23263d0856d9

  • C:\sarwnxcuzcd.bat

    Filesize

    496KB

    MD5

    66c2974e4d4e293f27aee7af72bb89c7

    SHA1

    5351bf94c6ac1f4a7c76b18b6f1f7d8543c0a96d

    SHA256

    d0ffc434571d9f80ab9451fe2416d6963274a9a38a7d02ee873d3c541ba70544

    SHA512

    8b55c0c68e4a93233875aa60873aec5508dfaeea65e314f71b828785eb57bb9f3e5c9af24932683cc0fb3b3071d0120b20b02b6b54112b3bbf182df2a504f02d

  • \Users\Admin\AppData\Local\Temp\hiulyjawrse.exe

    Filesize

    320KB

    MD5

    134d068cc73ba4c3603bbd3e2a4cbe61

    SHA1

    f963b42b1dfde721b8e7a495aea206e34dca43a1

    SHA256

    a392af48ac00136ad4fb383c8c357e1d30d5802880c5dd47b9063860dd087bde

    SHA512

    50c57a317d58c0be8f0d89d3399f5e42b1cce9e504e5139cdc7fb4320150b4ec311e9b1b8643fc0075820981930241a52297efc5257750ac671b02e172f55eb8

  • \Users\Admin\AppData\Local\Temp\loaamr.exe

    Filesize

    740KB

    MD5

    83b22a30081165473641487d5725e1d5

    SHA1

    8fa117ca2b20b908d2e5981c0c936e0250d02bda

    SHA256

    71ec7832e99237ae3ede9231db507db60a71f0632117320234631d1e2cdae3ef

    SHA512

    09c76214caa129beb381eb1fd972f5ed5266fe2a443129ed6d1d9b1c60bee82ee80605186fa3335de6dfca9bde1e8bffdf9b4482c30fd91767aedde60db5aa2d