Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

47a91b5977...18.exe

windows7-x64

7

47a91b5977...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 01:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    47a91b5977ae37d569959af59a336c40_JaffaCakes118.exe

  • Size

    859KB

  • MD5

    47a91b5977ae37d569959af59a336c40

  • SHA1

    e4657211489bfb52c32c83bae99a9b650292bda9

  • SHA256

    168724fb7e0800b37d13e77cb330269d8e14d148c42ad3f8187eaaa314b55634

  • SHA512

    2ed539ec166ba394c715662eccbc3aaaaa970929557c2b920e9112108297c26af02c014875032da36fc4165ba225fc97150c111225439e1abde876f26640bb30

  • SSDEEP

    24576:BYZ6wn7I5umaj2HQcb43MxpjtAHEhKnOBW:BYZn7IzaSHZU8jqkW

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 33 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 11 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47a91b5977ae37d569959af59a336c40_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\47a91b5977ae37d569959af59a336c40_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\ProgramData\isecurity.exe
      C:\ProgramData\isecurity.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2232
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 868
        3⤵
        • Program crash
        PID:2908
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 904
        3⤵
        • Program crash
        PID:2096
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1148
        3⤵
        • Program crash
        PID:1872
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1156
        3⤵
        • Program crash
        PID:2344
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1204
        3⤵
        • Program crash
        PID:4376
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1148
        3⤵
        • Program crash
        PID:2452
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1308
        3⤵
        • Program crash
        PID:2500
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1300
        3⤵
        • Program crash
        PID:836
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1300
        3⤵
        • Program crash
        PID:316
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1752
        3⤵
        • Program crash
        PID:1656
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1212
        3⤵
        • Program crash
        PID:4708
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2232 -ip 2232
    1⤵
      PID:1940
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2232 -ip 2232
      1⤵
        PID:1080
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2232 -ip 2232
        1⤵
          PID:4152
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2232 -ip 2232
          1⤵
            PID:2496
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2232 -ip 2232
            1⤵
              PID:920
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2232 -ip 2232
              1⤵
                PID:2520
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2232 -ip 2232
                1⤵
                  PID:4932
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2232 -ip 2232
                  1⤵
                    PID:444
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2232 -ip 2232
                    1⤵
                      PID:4596
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Modifies registry class
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of WriteProcessMemory
                      PID:4488
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:3500
                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                      1⤵
                      • Modifies data under HKEY_USERS
                      • Suspicious use of SetWindowsHookEx
                      PID:3836
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:5108
                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                        PID:4336
                      • C:\Windows\system32\sihost.exe
                        sihost.exe
                        1⤵
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of WriteProcessMemory
                        PID:1700
                        • C:\Windows\explorer.exe
                          explorer.exe /LOADSAVEDWINDOWS
                          2⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Enumerates connected drives
                          • Checks SCSI registry key(s)
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          PID:3756
                      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                        "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                        1⤵
                        • Modifies data under HKEY_USERS
                        • Suspicious use of SetWindowsHookEx
                        PID:4552
                      • C:\Windows\system32\sihost.exe
                        sihost.exe
                        1⤵
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of WriteProcessMemory
                        PID:316
                        • C:\Windows\explorer.exe
                          explorer.exe /LOADSAVEDWINDOWS
                          2⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Enumerates connected drives
                          • Checks SCSI registry key(s)
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          PID:4236
                      • C:\Windows\system32\sihost.exe
                        sihost.exe
                        1⤵
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of WriteProcessMemory
                        PID:1492
                        • C:\Windows\explorer.exe
                          explorer.exe /LOADSAVEDWINDOWS
                          2⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Enumerates connected drives
                          • Checks SCSI registry key(s)
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          PID:376
                      • C:\Windows\system32\sihost.exe
                        sihost.exe
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4844
                        • C:\Windows\explorer.exe
                          explorer.exe /LOADSAVEDWINDOWS
                          2⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Enumerates connected drives
                          • Checks SCSI registry key(s)
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of SendNotifyMessage
                          PID:1524
                      • C:\Windows\system32\sihost.exe
                        sihost.exe
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4360
                        • C:\Windows\explorer.exe
                          explorer.exe /LOADSAVEDWINDOWS
                          2⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Enumerates connected drives
                          • Checks SCSI registry key(s)
                          • Modifies registry class
                          • Suspicious use of SetWindowsHookEx
                          PID:3768
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2232 -ip 2232
                        1⤵
                          PID:4152
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2232 -ip 2232
                          1⤵
                            PID:400

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\ProgramData\isecurity.exe
                            Filesize

                            852KB

                            MD5

                            3b7d1d2b1a6b25bf101d5ea10a74bc28

                            SHA1

                            489519c9c131607d1fceda90e10a62a81670ae6b

                            SHA256

                            f6c18e427735de4da48218875064a6ed09521265685f8e659c36072a1f0a1d26

                            SHA512

                            c2dc268a57751ffc2416fd9787f1931b783f7d9721341e12f34a8fb9fa7645e828e308249b3c385920b6e5dce75cfe6417a9294262aaa7fad17a4cb136de7a8e

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
                            Filesize

                            1022B

                            MD5

                            815f6c0bd6f47254cc9daa7864a77651

                            SHA1

                            801888b8ba78a58c76e8a5ec7c707fc7688f5414

                            SHA256

                            8eb11c68d711a394f4154007ddf1f6fb87c13d8bbf846b43716cf0b0fad8196e

                            SHA512

                            aff2fb237e662e0998fc2e6df932ca3dc2913a5877efa868d6f9027f22600622351ccba09780d80ccdc248cf590f67580f04376a15977697ec560ae0a101b521

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\{464EB63E-52EB-4CBD-850F-DCF743AF9E6D}.png
                            Filesize

                            6KB

                            MD5

                            099ba37f81c044f6b2609537fdb7d872

                            SHA1

                            470ef859afbce52c017874d77c1695b7b0f9cb87

                            SHA256

                            8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

                            SHA512

                            837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

                            Download Submit

                          • C:\Users\Public\Desktop\Internet Security.lnk
                            Filesize

                            682B

                            MD5

                            2321027e846aba58590ac0bc3d298455

                            SHA1

                            68e0f7045ee71d55f0c2ce3da9c97cbcc625af05

                            SHA256

                            ad3ae3fef165dc371d31c98198dd6d5d64e0ae004c893e38faaca383296af1a9

                            SHA512

                            d1c012b457988e2df0b366d5c0378ab8a548f884237508b214772cb156b2aafd0d3e89e908f88264321a3bc8cbdc8e654777253ab4edaef261ef3e71c3843083

                            Download Submit

                          • memory/2232-55-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-73-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-16-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-17-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-18-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-19-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-87-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-86-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-85-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-38-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-84-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-54-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-81-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-56-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-63-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-64-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-80-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-71-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-72-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-14-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-74-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2232-79-0x0000000000400000-0x0000000000A42000-memory.dmp

                            Filesize

                            6.3MB

                            Download

                          • memory/2940-1-0x0000000000400000-0x0000000000507000-memory.dmp

                            Filesize

                            1.0MB

                            Download

                          • memory/2940-0-0x0000000000487000-0x0000000000488000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2940-2-0x0000000000400000-0x0000000000507000-memory.dmp

                            Filesize

                            1.0MB

                            Download

                          • memory/2940-7-0x0000000000400000-0x0000000000507000-memory.dmp

                            Filesize

                            1.0MB

                            Download

                          • memory/3500-32-0x0000000004B70000-0x0000000004B71000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/3768-52-0x0000000002740000-0x0000000002741000-memory.dmp

                            Filesize

                            4KB

                            Download