Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

70af1a0f5e...18.exe

windows7-x64

10

70af1a0f5e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    27/07/2024, 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    70af1a0f5edd633a967b6b424409c016

  • SHA1

    c0c8ddc109da87f22126b991ce9aae2a0a666aee

  • SHA256

    43d9e3dc473784bc870edcc9507f5626d222217d0e529a03107d45a570615b2f

  • SHA512

    1f64e61aee1dfe3fad44ffe56f4b82367644160547dcdebef92ebfe1d335e244650aed4326772fef1fde96cae94895b0bc82b90aa6ff4d91bc9109c9542a2609

  • SSDEEP

    12288:xCTPgrnZiJiAaMVkUet7EwBI+APutDrVkP+xnXOBI+AM0u53XC1t:xCTPMAzVkUetVI5ut/VkP+x6IS0u53et

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 6 IoCs
    evasion
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Users\Admin\AppData\Local\Temp\inf4D2.tmp
      C:\Users\Admin\AppData\Local\Temp\inf4D2.tmp
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2792
    • C:\Documents and Settings\Admin\Local Settings\huzksf.exe
      "C:\Documents and Settings\Admin\Local Settings\huzksf.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:756
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 452
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

4
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Mr_CoolFace.scr
    Filesize

    1.2MB

    MD5

    70af1a0f5edd633a967b6b424409c016

    SHA1

    c0c8ddc109da87f22126b991ce9aae2a0a666aee

    SHA256

    43d9e3dc473784bc870edcc9507f5626d222217d0e529a03107d45a570615b2f

    SHA512

    1f64e61aee1dfe3fad44ffe56f4b82367644160547dcdebef92ebfe1d335e244650aed4326772fef1fde96cae94895b0bc82b90aa6ff4d91bc9109c9542a2609

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Autorun.inf
    Filesize

    97B

    MD5

    e0b7531a87635a0a11dbd9edc02c7bed

    SHA1

    74a50849add50351da332164cbf0ae74a43ce8fe

    SHA256

    20e16cf8b48b2bf3adc59251e7dc293c39eb87922d267a768a403fb76f13d765

    SHA512

    e6cbf6e11ad29d17c219ca44ebbcb43adb76bef3d688f38e43520faded492caff162e249bd477f5441858a26eb567c3f70be3cf3cc181a2fb62aaae4efd23c67

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe
    Filesize

    6B

    MD5

    ec6d94b09549985c04cff9abf86160c5

    SHA1

    494c48927a9453d9f3bead98e70a04d7c9a1fd88

    SHA256

    306a4c0586330df230773a5a1fd7548fe2f81777fc302f2c1d8b32822d4da292

    SHA512

    4072d0b19497115bebd7bc073ca1a6059853829b07b9f42b1a5e88d18753d0b07f562a6925ef9c0a844c7574a20a21b39cd0f50c4985db4b445bc3536175a29a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Mr_CF\Desktop.ini
    Filesize

    212B

    MD5

    ca815edf2e481dd83bd0cff16caaf7a7

    SHA1

    523fa767fac1b4061762c0262d4bc09a1fa7dddf

    SHA256

    f2566afa47cadf4017f82ee80f11355989fd722fbbbbed1954392bbe2aa2b352

    SHA512

    cef1cf04432326393cd700b6c9c4d3d816a61505a3ba99bafc935ffd52a78635130a752d091dd6511d9781ac9458a404bcfc69ca0cdec55da418b3b8bf9dace2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Mr_CF\Folder.htt
    Filesize

    631B

    MD5

    5313060d847a33c356e4e8e286e3de73

    SHA1

    d2b5e89f1fbb96895371e1cde7997ff76814ea9e

    SHA256

    ee482ee2540efc03f1cba611170096f68e14fd4d39bdc8650f3ef6900799fafc

    SHA512

    8c90a8fd5372dadfe95df1deb07bbd14355620dd067b2cce58f76230e2f99129daf65ddc056cab0902ab2b70a4b838a484f62f37b0436e21a963dd1156f551b0

    Download Submit

  • C:\Windows\SysWOW64\Mr_CoolFace.scr
    Filesize

    1B

    MD5

    6f8f57715090da2632453988d9a1501b

    SHA1

    6b0d31c0d563223024da45691584643ac78c96e8

    SHA256

    62c66a7a5dd70c3146618063c344e531e6d4b59e379808443ce962b3abd63c5a

    SHA512

    f14aae6a0e050b74e4b7b9a5b2ef1a60ceccbbca39b132ae3e8bf88d3a946c6d8687f3266fd2b626419d8b67dcf1d8d7c0fe72d4919d9bd05efbd37070cfb41a

    Download Submit

  • C:\explorer.exe
    Filesize

    1B

    MD5

    e1671797c52e15f763380b45e841ec32

    SHA1

    58e6b3a414a1e090dfc6029add0f3555ccba127f

    SHA256

    3f79bb7b435b05321651daefd374cdc681dc06faa65e374e38337b88ca046dea

    SHA512

    87c568e037a5fa50b1bc911e8ee19a77c4dd3c22bce9932f86fdd8a216afe1681c89737fada6859e91047eece711ec16da62d6ccb9fd0de2c51f132347350d8c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\inf4D2.tmp
    Filesize

    117KB

    MD5

    9c45d38b74634c9ded60bec640c5c3ca

    SHA1

    79d03b17ce9e7ff9595253a402efb856b0888ea0

    SHA256

    bcff89311d792f6428468e813ac6929a346a979f907071c302f418d128eaaf41

    SHA512

    1afa4ac8d5d9c7913d536f158573c669795bad449df0132f87dcc91f6ffcae989ed1c7cec6b4f6f75d3a8bd60a65e15eaa22afea7df7dee46cf40e093bb29a08

    Download Submit

  • memory/756-398-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1720-167-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1720-197-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download