Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/08/2024, 17:25

General

  • Target

    9408b6cd8ac1e4e6208e4ee07bf79736_JaffaCakes118.exe

  • Size

    277KB

  • MD5

    9408b6cd8ac1e4e6208e4ee07bf79736

  • SHA1

    b45dc0d049d71e802b69e66fd851f96029b15d8b

  • SHA256

    e8a5ae606ef639d020de48c954f3d43ff463a6e045d05a331ebc1a5088aada1b

  • SHA512

    243848be4aa9a29f1cc52aa51c6a172b50225f352f012bea58f0ad4f126c719a2589f322aef881343fe694801738922f9f34af9fc97b17aa45ec177b8801e298

  • SSDEEP

    6144:W8+/V1fTvXcO217yj61Pxijls3NM+mFSyu9ezbypHv4+Rv6SFo7jVvvw:B+/V1fTfcv5yQPxij+aFSFevcHjRQNw

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 39 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\9408b6cd8ac1e4e6208e4ee07bf79736_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9408b6cd8ac1e4e6208e4ee07bf79736_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2584
    • C:\Users\Admin\AppData\Local\Temp\9408b6cd8ac1e4e6208e4ee07bf79736_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\9408b6cd8ac1e4e6208e4ee07bf79736_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\114AF\28CA1.exe%C:\Users\Admin\AppData\Roaming\114AF
      2⤵
        PID:2732
      • C:\Users\Admin\AppData\Local\Temp\9408b6cd8ac1e4e6208e4ee07bf79736_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\9408b6cd8ac1e4e6208e4ee07bf79736_JaffaCakes118.exe startC:\Program Files (x86)\AF678\lvvm.exe%C:\Program Files (x86)\AF678
        2⤵
          PID:2420
        • C:\Program Files (x86)\LP\A1B1\E91.tmp
          "C:\Program Files (x86)\LP\A1B1\E91.tmp"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4932
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1748
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3156
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4404
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4476
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3764
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1296
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:1072
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3664
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4048

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\LP\A1B1\E91.tmp

        Filesize

        96KB

        MD5

        7af38992a27888b3f24b3d67e0cd15f7

        SHA1

        ba6c20941f33522c90a8fbf2518706ae4889b2e4

        SHA256

        8d7f9ac62c3a46ba220f1b68b8ff95e960e5385e6a63855ff61acdc1e1efa756

        SHA512

        c89e27cc8c5e8a611342616b799f3b458fa793f9689e379f59fdb0ad042efcfbb2ddded40e580fccff52177eefc933337c8903f886a2b4100884c506e59f6c35

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

        Filesize

        471B

        MD5

        3915165be241aec9bab930e2a3c76254

        SHA1

        14a5310a690d8be6c30a1f29321c5055f7cc46dd

        SHA256

        720820665b0bf51355299e4728c46c72469c88e864ac2a5765bfbe12c8e05455

        SHA512

        3a8a6ba84fc834caefc2d57fca51d8ab39ce853281b3cd7b00b93f6bf89332bf6ef6726cb7171d6670aced0eab62133d7b89ae4f7dd976f16dd9f32216bbff42

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

        Filesize

        420B

        MD5

        230b1dd56b51b512f5932ef24a0b6c33

        SHA1

        a460d3534c242f726b20ac9c64012a1f6c0beb75

        SHA256

        3f17a549baf4b66cc6c5f19dd9f15f1161b7d8a89a2e098f86f8b2c3be483c87

        SHA512

        3784354202adfa3cd230eced355b6d91fdb896f734c1c1e950ee5f7f42ea69904e3c7d09d09430b79956d8ce648fb2211607f6956d307da78e7b7b39ab96ede3

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

        Filesize

        2KB

        MD5

        a89aecbf8b3be1120516d0ca15eadfc7

        SHA1

        89dec528e3831582f269b24ef5eb744dd1ae7778

        SHA256

        e5965b532f20869162c20c23f0e3fb8fd2e83e3d13a787d4efbc11352d3f8e0d

        SHA512

        e33775746f78519349344a8abef1a12a48b13c55c468abee6f8f0d11c0aecac94b6782c54b2bfde813789de5f483a72e10f04d22bc261f77ac25a007f816a9d3

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133680435554349810.txt

        Filesize

        75KB

        MD5

        6dba185a20e9ef2a8df722fb9821304a

        SHA1

        ea162a0738bc05532f09047f76fd3af945372deb

        SHA256

        10bf75051761201e29cbc5cddb49bdb7365ffc6b39bb3266a8c0de6402e9d395

        SHA512

        e5c17f701dea433f8388f51b4a600b063c01be8bdfb342841efc810b53eedb871163fdab74ee22c99a2d0a1011f3a879f2a0e70a14508f8e8d99c72746bf1eac

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

        Filesize

        22KB

        MD5

        f78e8b3369de69136bbc63e62076f17b

        SHA1

        b513d99b667522a0c04827d655e7ffdd8f45ccfb

        SHA256

        fa9a88054808c94fff9a8f94e3f6932606c0edb6486dcbcc78d80393b1d97c57

        SHA512

        0809f947c4eeb782d56e24766ed96da4a181e27fa33cf26cb1d8d7545557007e3b187175ebcb50a89263adcc1007d723cda7bb9aca361eace61bc1db781bcad1

      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PNRCYTYY\microsoft.windows[1].xml

        Filesize

        97B

        MD5

        5e22ac0cbcc2cfca04d1b6983de47d88

        SHA1

        2cec1efb9cc1a5882ea7880bfcbe947c3361c37f

        SHA256

        15c78df0dc6078f22a8655187b6bc79f1142f5ca86fc151e361b748b119bdc4d

        SHA512

        fe181661eb50f5460f51015d576f688ffd9aa9a9c8e2dd1308416a15e2784d5fd1c0dfb3e2819c357c999aa9be208b372b185616e17c3691cf798e4e861bf870

      • C:\Users\Admin\AppData\Roaming\114AF\F678.14A

        Filesize

        1KB

        MD5

        797de850cd077b53b93b2dd5333b6f3c

        SHA1

        1ba8de39550ddb31bd6115224f2270ebfe52f9db

        SHA256

        e150bf7886139fc31adb2ce5070ed10ae6d11f28f8064f94aeecf3cda45a4a0c

        SHA512

        eaf8a61529b36e37530a17341b79fa407eeef9a03fc468ffb2ff07d0503aa1e7562f0af0218464004a2d34e991955cebb3db52d55b7190ef59d56ada4c671a11

      • C:\Users\Admin\AppData\Roaming\114AF\F678.14A

        Filesize

        600B

        MD5

        3e1520ed07524c2ff5f97a758b2a2078

        SHA1

        6c38fe771ec5b7f808bd4bf91bce9ec53f6697ae

        SHA256

        8b2e07954a06c28a99f8adbdacf574d12c3c9ea5dd30c202a56e99977df4f958

        SHA512

        1f21e126266c5625a967fa118a7e9386678f41cc44f749f2cdee36071c97b68f067cf189b2def6f2f512ee91e96a053c1903a7eda1ca9c61adabf17e377d80ca

      • C:\Users\Admin\AppData\Roaming\114AF\F678.14A

        Filesize

        996B

        MD5

        80c90622e5f8c491955ef5f47033e9e5

        SHA1

        9da26cd3fbc1e8417e006200d6eedd66235582e2

        SHA256

        1bb6d4ac2527ecd133656611eda67c8569a8781dd7c9843391edb3df0c510f05

        SHA512

        e1788c63879bbf2f6690fd4a1873c0d5ee58ffcfb4c95274120697690dd52d1fc25e4763cb290e1ab5943bdf8898930baea2a59f414766219faae6be4e952241

      • memory/1296-196-0x0000023EFEB60000-0x0000023EFEC60000-memory.dmp

        Filesize

        1024KB

      • memory/1296-197-0x0000023EFEB60000-0x0000023EFEC60000-memory.dmp

        Filesize

        1024KB

      • memory/1296-231-0x00000236800A0000-0x00000236800C0000-memory.dmp

        Filesize

        128KB

      • memory/1296-230-0x0000023EFFA80000-0x0000023EFFAA0000-memory.dmp

        Filesize

        128KB

      • memory/1296-200-0x0000023EFFAC0000-0x0000023EFFAE0000-memory.dmp

        Filesize

        128KB

      • memory/1296-195-0x0000023EFEB60000-0x0000023EFEC60000-memory.dmp

        Filesize

        1024KB

      • memory/2420-76-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2584-1-0x0000000000400000-0x0000000000467000-memory.dmp

        Filesize

        412KB

      • memory/2584-14-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2584-539-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2584-77-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2584-78-0x0000000000400000-0x0000000000467000-memory.dmp

        Filesize

        412KB

      • memory/2584-189-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2584-2-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/2732-12-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

      • memory/4048-355-0x00000237FD000000-0x00000237FD100000-memory.dmp

        Filesize

        1024KB

      • memory/4048-359-0x00000237FDF30000-0x00000237FDF50000-memory.dmp

        Filesize

        128KB

      • memory/4048-385-0x00000237FE500000-0x00000237FE520000-memory.dmp

        Filesize

        128KB

      • memory/4048-372-0x00000237FDEF0000-0x00000237FDF10000-memory.dmp

        Filesize

        128KB

      • memory/4048-354-0x00000237FD000000-0x00000237FD100000-memory.dmp

        Filesize

        1024KB

      • memory/4476-194-0x0000000003080000-0x0000000003081000-memory.dmp

        Filesize

        4KB

      • memory/4932-153-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB