Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/07/2024, 00:58

General

  • Target

    69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    69a8abd71b135b53dbae1c43076902c1

  • SHA1

    d9f5c3c92f1996a972d2a8e2cbfa494a2598d960

  • SHA256

    14935216d45b2e4a4c0883237dadcd4489a2ab1b1e9908f1f54d383523a47012

  • SHA512

    cf06bf6501c0e0124d75189f47e80abd13295377718861d2c584e0b7a8c7d3d17a8713fa9b4a494aa2cafd239613cb6581c4a747c2e2fddedf56c82c8ef71655

  • SSDEEP

    24576:0J94Ob3Cx0i0o6zsday2COaHVHn/e6af4fVjbHomTOyzdI/CMgDb:0Jzyx0bsS2HVHn/VafeVjsuOkdI/M

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 8 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • AutoIT Executable 14 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 28 IoCs
  • Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\69a8abd71b135b53dbae1c43076902c1_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_updater_run" dir=in action=allow description="updater run without uac" program="C:\Users\Admin\Desktop\ITx__Updater.exe" enable=yes protocol=any profile=public,private
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3104
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="ITx_updater_run" dir=in action=allow description="updater run without uac" program="C:\Users\Admin\Desktop\ITx__Updater.exe" enable=yes protocol=any profile=public,private
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:3704
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_jobs_64" dir=in action=allow description="jobs 64" program="C:\Windows\debug\ITx_jobs_64bit_v5.exe" enable=yes protocol=any profile=public,private
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4900
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="ITx_jobs_64" dir=in action=allow description="jobs 64" program="C:\Windows\debug\ITx_jobs_64bit_v5.exe" enable=yes protocol=any profile=public,private
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4104
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_runasti_64" dir=in action=allow description="runasti 64" program="C:\Windows\debug\ITx_RunAsTI_64bit_v5.exe" enable=yes protocol=any profile=public,private
      2⤵
      • Access Token Manipulation: Create Process with Token
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="ITx_runasti_64" dir=in action=allow description="runasti 64" program="C:\Windows\debug\ITx_RunAsTI_64bit_v5.exe" enable=yes protocol=any profile=public,private
        3⤵
        • Modifies Windows Firewall
        • Access Token Manipulation: Create Process with Token
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1544
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_updater" dir=in action=allow description="updater ITx" program="C:\Users\Admin\Desktop\ITx_updater.exe" enable=yes protocol=any profile=public,private
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3964
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="ITx_updater" dir=in action=allow description="updater ITx" program="C:\Users\Admin\Desktop\ITx_updater.exe" enable=yes protocol=any profile=public,private
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4768
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_kms_1" dir=in action=allow description="kms file 1" program="C:\Windows\AutoKMS\AutoKMS.exe" enable=yes protocol=any profile=public,private
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4388
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="ITx_kms_1" dir=in action=allow description="kms file 1" program="C:\Windows\AutoKMS\AutoKMS.exe" enable=yes protocol=any profile=public,private
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4572
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_kms_2" dir=in action=allow description="kms file 2" program="C:\Windows\Temp\SppExtComObjHook.dll" enable=yes protocol=any profile=public,private
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5004
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="ITx_kms_2" dir=in action=allow description="kms file 2" program="C:\Windows\Temp\SppExtComObjHook.dll" enable=yes protocol=any profile=public,private
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:3904
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_checker" dir=in action=allow description="Nu Ma Uita" program="C:\Windows\debug\NuMaUita.exe" enable=yes protocol=any profile=public,private
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="ITx_checker" dir=in action=allow description="Nu Ma Uita" program="C:\Windows\debug\NuMaUita.exe" enable=yes protocol=any profile=public,private
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4756
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ITx_downloader_updater" dir=in action=allow description="downloader updater" program="C:\Windows\debug\ITx_downloader_updater.exe" enable=yes protocol=any profile=public,private
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="ITx_downloader_updater" dir=in action=allow description="downloader updater" program="C:\Windows\debug\ITx_downloader_updater.exe" enable=yes protocol=any profile=public,private
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1592
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x404 0x428
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3252

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\debug\downloads\ITx_updater.ini

    Filesize

    435B

    MD5

    b9949ee1474ff64ab49797d1b600cd5a

    SHA1

    af3773cd67e5ef6fd3946ec637df012fbe92b859

    SHA256

    f95b9589c1c5e331707503e48a4c818745c4a8a0477b1bb517c5c609f7a14094

    SHA512

    8c6835a12f019aa9668f765d2218bd55cf99e2ee4e2202641cfc5a4ffa8b1ee42257c2705dc903a3aca1e9f9511b85d3fc17017b95c1a5ae6be62e9d8ac43970

  • memory/2612-109-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2612-112-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2612-104-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2612-105-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2612-106-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2612-107-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2612-76-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2612-110-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2612-108-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2612-111-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2612-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2612-113-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2612-114-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2612-115-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2612-116-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB