Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

9683b5a5db...18.exe

windows7-x64

10

9683b5a5db...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/08/2024, 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe

  • Size

    488KB

  • MD5

    9683b5a5db7ef90997e75defa03bee46

  • SHA1

    2c335dea0aec7c40365e5e7e4b392463ef667480

  • SHA256

    247f07cc6c486b74c0c7af12f9b1c41385c691e77ae7c3d0c4ec0d242745d020

  • SHA512

    9907e15365f968b77ced26fdd5580b255767352014bb8ac50544532b73f6bfd356af8ded60ee472e25e77d248a2017125b7cf17468ab18e31eeca3159705db86

  • SSDEEP

    12288:sgHsqmAdjxORA4GTe2Pr9hroyCMJOcddfm+YPk:gqmwjfz79iSJOUYPk

Score
10/10
defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 29 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
    defense_evasion
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 38 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Local\Temp\rsgszysrbcq.exe
      "C:\Users\Admin\AppData\Local\Temp\rsgszysrbcq.exe" "c:\users\admin\appdata\local\temp\9683b5a5db7ef90997e75defa03bee46_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4452
      • C:\Users\Admin\AppData\Local\Temp\luyyfk.exe
        "C:\Users\Admin\AppData\Local\Temp\luyyfk.exe" "-C:\Users\Admin\AppData\Local\Temp\xqeofuleshagzqcg.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2632
      • C:\Users\Admin\AppData\Local\Temp\luyyfk.exe
        "C:\Users\Admin\AppData\Local\Temp\luyyfk.exe" "-C:\Users\Admin\AppData\Local\Temp\xqeofuleshagzqcg.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:4844
    • C:\Users\Admin\AppData\Local\Temp\rsgszysrbcq.exe
      "C:\Users\Admin\AppData\Local\Temp\rsgszysrbcq.exe" "c:\users\admin\appdata\local\temp\9683b5a5db7ef90997e75defa03bee46_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

5
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\ryaydglsuxeyfkkcphlsusxafm.rys
    Filesize

    272B

    MD5

    772553175b1409dab9c7d5fbf12d6b43

    SHA1

    82450897b4a2bfed4d629d55e6d5608f9ec3afea

    SHA256

    f8182c2cbfc1dfc3e9b96c7c1b238f55d7cede0b6c0c51e73ddb562f4d36645b

    SHA512

    b07a04cc8ff3bfa87e95166582f1d40481a984f0e58796e23d4dfb632b176d12f797ecc6cb39a5b0184e0ffc492ae8c0c89397adf838eebda5f7ef1212e91075

    Download Submit

  • C:\Program Files (x86)\ryaydglsuxeyfkkcphlsusxafm.rys
    Filesize

    272B

    MD5

    09fcdd33ce738806fa1d35f9e7f91ee6

    SHA1

    af0a7a64bbb22ebd5c5d657b298f760a22a484b2

    SHA256

    d00811e6c266e3110e43284a3078bb8e8a7c20cb789cb554a993c676e0ebd3c4

    SHA512

    00af288dfe1c105f769815ba708e28a6769b2fc77b1c1dde006fbc6b89cddb8ad83ce8382ebc3ecf1e605914b6b897c6855044ada8c5c705529cb8d8cce460f5

    Download Submit

  • C:\Program Files (x86)\ryaydglsuxeyfkkcphlsusxafm.rys
    Filesize

    272B

    MD5

    eda4647e8002051e37923867581f1702

    SHA1

    c0d461b9917222a80a45cfde8d35bb6cf552f253

    SHA256

    65de3f489d016e9ef1cbc1ef90167358304471d274ad4764442b4af2c6e5ad2e

    SHA512

    29684f615414701e573aceb9d3ca3d921acdfe8224cb86c7afb33ca086c6243200161f43eb14836af62d5e94bd7ff5e2b929d52cb0322c345412029b4523d1be

    Download Submit

  • C:\Program Files (x86)\ryaydglsuxeyfkkcphlsusxafm.rys
    Filesize

    272B

    MD5

    e0abc76ecf990d677f4418b404d5c0e6

    SHA1

    e16ffb2e3acca179ec63767ee9e2f627df072f64

    SHA256

    ae4beece2e9d2191dc4eda0b32b71deb35298ff0946e59309124c44bb3020164

    SHA512

    f11543ba2ee8b7c812bef49fee3f28deb727b2e0e78bdf1d629b7c855fbafb28dc5ee832c7255c6d9f3110f704bb8c78e738e4548b514d8b38128d1dbb255af6

    Download Submit

  • C:\Program Files (x86)\ryaydglsuxeyfkkcphlsusxafm.rys
    Filesize

    272B

    MD5

    be7666637e097e5d8d336cf612ca6d48

    SHA1

    e0baadfeb19fff7bb5719caaaa4d323885463378

    SHA256

    a1572c84c6c984cdda2632232649fa5e971893ecc492faa90e097c24aae63142

    SHA512

    5f2a9bfc0eaa896090b45831bbb81fdd3e96eda16bf8f0ef4085ae340994694a95cbd202ee4b032d54e53aa3d436401667d548a4b2f1138561678cb446394ab7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\luyyfk.exe
    Filesize

    700KB

    MD5

    2795ef9b26d623ab0229fb1922df0f73

    SHA1

    53aec3d71346ec73ade3f2f178c5746505659a5f

    SHA256

    7045e00e95a78430416c76cd18e187d0a08d2e958539b0bfa9ae2903f807e38a

    SHA512

    76b9407bb958ecebce5a04d6b782b10ca6fe0ff0786feba1606800fe2b1067167900cef929f5ce73b2e5d46f3f3f3d3f9938ed1f89162bf8d3bc589b736648aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rsgszysrbcq.exe
    Filesize

    320KB

    MD5

    b92314203327a733531042bc58e54f57

    SHA1

    1f3d0081f308a82c9659f4a57fc1ad551167a181

    SHA256

    d936bfd3b4264fe1650dee22119858b9d0cc58598e7e956ebecf72fb82f7c7d3

    SHA512

    2982559183e13830cd795c7badadb15b4dad50315155299d9713970aff034c827ade98c79d6da836aea743890aca71bc0f7d5348a32f2858b4f40884ecccf7f7

    Download Submit

  • C:\Users\Admin\AppData\Local\ryaydglsuxeyfkkcphlsusxafm.rys
    Filesize

    272B

    MD5

    74f3b971c627240979f1cbf23196ab21

    SHA1

    ff8b0a537b84df2170f516c5ff6ca197c22b6cda

    SHA256

    3acee41f05f06fd5c86860be03706eb1d09faf380301aba0d5ba3b75de7ce127

    SHA512

    6c90ae8f7678aed5ecda8d25e790b56903fc73037185ab6249e0f63384923607f141e4b28acdf3aac71eb2b653f805044f132d8229ab3fce8cac27c7e89bc5a8

    Download Submit

  • C:\Users\Admin\AppData\Local\ryaydglsuxeyfkkcphlsusxafm.rys
    Filesize

    272B

    MD5

    4a4077cc33f3a05235490aaacf69725f

    SHA1

    9d1598178e5091bd52827c4e0f2506a49ee953e7

    SHA256

    66f39961e9d517ee463636604fb5fc8769461e1f1966558134fd1ce2f282e2ff

    SHA512

    6a0f95617a73893fbeb1b4f25b5fcd196520a4081aa6a232ef7bbc2a5d93ad0cbf08756d7592f88cfbf2b12fb8ba88da51f7ab01e425a276d2f6d6a02a909de9

    Download Submit

  • C:\Users\Admin\AppData\Local\skxgwkasftlqiyjmkncuhqgukcpdvasitwuxm.raq
    Filesize

    3KB

    MD5

    6f8928a29781985a9c661cb875559e9a

    SHA1

    2213d4ada486a2986251524588c1b397df4cd036

    SHA256

    02c1e7e7fb01bdb547adb6b386d490ef9fc2590539d0864b83e3131cc86b2276

    SHA512

    b3b2c954e2da1b2109b72243af0767dea0f6f6d3483fd6ba9f9ac4a9a09a0389ff7c0d771c1b706a5c00514cc77335be3b975da018d9a0b3dc486303da8432a5

    Download Submit

  • C:\Windows\SysWOW64\niykduniypksnguabh.exe
    Filesize

    488KB

    MD5

    9683b5a5db7ef90997e75defa03bee46

    SHA1

    2c335dea0aec7c40365e5e7e4b392463ef667480

    SHA256

    247f07cc6c486b74c0c7af12f9b1c41385c691e77ae7c3d0c4ec0d242745d020

    SHA512

    9907e15365f968b77ced26fdd5580b255767352014bb8ac50544532b73f6bfd356af8ded60ee472e25e77d248a2017125b7cf17468ab18e31eeca3159705db86

    Download Submit