Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/06/2024, 00:20

General

  • Target

    1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe

  • Size

    496KB

  • MD5

    1402edfdcc8d1c5f9ec36eba012a8d37

  • SHA1

    cfbe8acbaec2676015c7105032d1da134f31c1ab

  • SHA256

    96c5aeea64be8ac8173f07a0f8c7d252a83eb2fad215160f36078829856c0def

  • SHA512

    a9baa0af65f8c3893673becc7235a3641ba4db0ac850a120431d85c38768dd10ceeb2becc7b9983088b5c65fa644f9b2b1f72b03ab4893518b1e23263d0856d9

  • SSDEEP

    6144:aKEGlVcJboOtGY8q75yKC2qJDrNRlpwPBYgZ9fVU93eJwN6QFbSpO4XcA2n4aA8:aKr3QboC9qLGKgZKe4HYpHvcbT

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • UAC bypass 3 TTPs 13 IoCs
  • Adds policy Run key to start application 2 TTPs 27 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe
      "C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe" "c:\users\admin\appdata\local\temp\1402edfdcc8d1c5f9ec36eba012a8d37_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:644
      • C:\Users\Admin\AppData\Local\Temp\jrzznr.exe
        "C:\Users\Admin\AppData\Local\Temp\jrzznr.exe" "-C:\Users\Admin\AppData\Local\Temp\vnfpnblhqivnqvgk.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2704
      • C:\Users\Admin\AppData\Local\Temp\jrzznr.exe
        "C:\Users\Admin\AppData\Local\Temp\jrzznr.exe" "-C:\Users\Admin\AppData\Local\Temp\vnfpnblhqivnqvgk.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2080
    • C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe
      "C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe" "c:\users\admin\appdata\local\temp\1402edfdcc8d1c5f9ec36eba012a8d37_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd

    Filesize

    280B

    MD5

    64814025f1cdb96524d5d0dfa9db0955

    SHA1

    904de8cc347d83f922ee8c74ef2744a0cd6d11ce

    SHA256

    c3f87754f6c9c0f1bd902e2cd9e948a17a37661162cc624ae58399e6aaec29b2

    SHA512

    74441208e71375849a268382cf76e176fa881378276ba8d33a364ad9b3409fd215e2ce453e29814d4f6954a4993ef4d82f2ec2b8629a8898543bf406c006bee6

  • C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd

    Filesize

    280B

    MD5

    799bcd86da8921e7bf5b88bc67f60198

    SHA1

    00c46280c1952bdc1da57932b366e993b7aed0ce

    SHA256

    4b089cddd5e042e726c589b83eeb8f185bcffc1a6782500161b5a76882d9849d

    SHA512

    37d565b69dc38fe8df5f8ce6e7c176925b5c2799e3045c7d1f27b93507abf1f6784b81ef013e70afb3cd3f12c198edb5fcb8b1234013bc5c6ef21802199ee9db

  • C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd

    Filesize

    280B

    MD5

    8a25d67b1dc82cb6563a6eb2beeaafcc

    SHA1

    c31c5dfa1f21f23a877464a2bd96a2031ba95c25

    SHA256

    50ca49b6491e1f27e0e430ca3529b8fcc0c3fd69890daf618b2969bb4ca95037

    SHA512

    bf379bc858d9a73689449146ff8efc8632760dc84cb681c781837f667908e3984880cac0c976eb0a1d2e43327b8078d49c2f13164628ecb95933e9739d4362f6

  • C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd

    Filesize

    280B

    MD5

    cde79bdda4555b800aa4d1cc00e5c415

    SHA1

    9fa0b04dbb61cae742de7791bc7666da4d516126

    SHA256

    ca5450ae48b78e9eb9ce225103d5c0ebc53693220364968858d28f79fc79a427

    SHA512

    e96b02169be8160399dafd9e53329df61bb0d500d1fc44892bf92ee773a111425532b1d89ef79097f4988f60d540f73133b45775478e230cbc4f263ed5898b94

  • C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd

    Filesize

    280B

    MD5

    291960a9af7c524780bef3576fd7d53c

    SHA1

    ad66e4b8375cd70c4534b7a776bc017fa74eb1f3

    SHA256

    a43d64f9a41db0a13dc4f3311ee0999b9a4b1f712d99521a72680b0519b26eeb

    SHA512

    4547fc5293c49b403b5e92518ee4086ab9886d8e75098b21d9eb103a7e52a4369a6fdfb6c323b1d1468bfef6fe03ca3de3dd21b136c0b769083b128f594234fb

  • C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd

    Filesize

    280B

    MD5

    d6b2158244c6cd8d9d2e76f886cf0c45

    SHA1

    f17f62372560bffe2a843210f80907c211933e13

    SHA256

    89534a66ebb144f14dc4474fb6192f4004b0836949704d72ea43d41ad1a1ca15

    SHA512

    590371aabb237f7af43253cbf4cb8d10b07677854f2c796c0c1b056a85f5353215ecac75f406577d9ce3ce0c4d4e1e95dcfb928594136be6ddb55bd9dc59ca22

  • C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd

    Filesize

    280B

    MD5

    4a5bd3643ab425590d08fae093ce9691

    SHA1

    1945915eae5b4873a970dd048018ee84a6f05108

    SHA256

    d6bf3b96bf1743894436955d575f67f161b02c875520328d090b01d42af18819

    SHA512

    d34de0c0b5879795842ad176e401c5206af9254cb49dcd387a6a58eedce584f2d8e25338e4ed47cb2cbec7cb69235b051f3cc10f0eae06241e13a115915bb69a

  • C:\Users\Admin\AppData\Local\Temp\jrzznr.exe

    Filesize

    728KB

    MD5

    812a7f266902a0708d3a45f13d56295e

    SHA1

    24807ab9314718a1635f94ea37113ef3b6f0348d

    SHA256

    ed693666e371f7704f2d5541c7aeed7fc0b3043608cbac43b7d25ba8f36b2a8b

    SHA512

    9a8edd0565ab91684188133711556e5407f4cf429b19fd823a0e9795873dfc2689649642e2bb3a08150864274177edc73ad9e16fc3190eaeb51f830c46929a2b

  • C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe

    Filesize

    320KB

    MD5

    56be524c2d0d736eee7f97eaeac18b8e

    SHA1

    e2376a438df7ac4229e56716b9ec1207bc0abcea

    SHA256

    72b7cd8421c04d1d3b4f46011115cdbba630c2a656baba229ce51c0891d061f7

    SHA512

    9d9ca2415281c5caf8ea596558d430b6405e1e3d8b5e557a211c09dab9eb428fe7ad08d084941d04bfb7705c7efac396335aac57dfc41fae5947f85cf56ba5f5

  • C:\Users\Admin\AppData\Local\qdqvoxctxksfddjiiygtglensjnaivttz.yow

    Filesize

    4KB

    MD5

    7e3903c9f0a3e42bef254721daf74ff8

    SHA1

    229b5e479dcc9c564d5f531a0bbb899f1124336f

    SHA256

    63ef88e924f22a3ce1bebbf668db697ebd126fa9596b2df24232615fcfc1dcb7

    SHA512

    2eab31e30f338cc848a577a3a70fb7ac53a3177feaa27240cdf6980a308a348f9d53a8346e20368edd4c8630bb221821a428fafc35e19713347f0a65d7f42df1

  • C:\Users\Admin\AppData\Local\zbdxfdxdwyvxkzuixczbdx.dxd

    Filesize

    280B

    MD5

    5c414493f2339a3e7c45dad02151c453

    SHA1

    7a8e868c2c51668306e9bfa3010b645148160a86

    SHA256

    58356979579d1b9a838e34cac313919cd5efe6e4b44e37e6843379435d453e31

    SHA512

    8210f5a8ca09b987c1ef7ce18477dff90ed7a10790c352711b4625f8733694cef306ce6ad962772ebd43ccb43e1d0fd980914da8f816688267f518c5b9f73dec

  • C:\Windows\SysWOW64\lfzllbnlwqfzelyeli.exe

    Filesize

    496KB

    MD5

    1402edfdcc8d1c5f9ec36eba012a8d37

    SHA1

    cfbe8acbaec2676015c7105032d1da134f31c1ab

    SHA256

    96c5aeea64be8ac8173f07a0f8c7d252a83eb2fad215160f36078829856c0def

    SHA512

    a9baa0af65f8c3893673becc7235a3641ba4db0ac850a120431d85c38768dd10ceeb2becc7b9983088b5c65fa644f9b2b1f72b03ab4893518b1e23263d0856d9