Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    126s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 21:47

General

  • Target

    bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe

  • Size

    80KB

  • MD5

    bf7b61b7d5984c357907a111480602e8

  • SHA1

    95d79d6f7da79b6487fb19431134ccb09fc027b8

  • SHA256

    520a97331c488c176432b18191957390c3e4961af04fa14d8e39482764bade1c

  • SHA512

    cce9cd58fcb907618f0289ceb4a63bf9ca8df5bb53a6fa559db68c31f8c05e786b5c862218fc49dc68b2a18d7ecf7d81d9c781a3876455f42420ae21e4443b14

  • SSDEEP

    768:qIgxZk/RCEH4QJcWfL3n8z3vpPzXreencxkgbsb3JnPY4f54jKV+JVbZU:QRQJciIDvpLr/nkcr4GVubZU

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

  • System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Connections Discovery 1 TTPs 1 IoCs

    Attempt to get a listing of network connections.

  • Discovers systems in the same network 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\ProgramData\Application Data\wmimgmt.exe
      "C:\ProgramData\Application Data\wmimgmt.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3476
      • C:\Users\Admin\AppData\Local\Temp\avp.exe
        C:\Users\Admin\AppData\Local\Temp\avp.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1712
        • C:\Windows\ctfmon.exe
          C:\Windows\ctfmon.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:1588
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\avp.exe /a /f /q > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:452
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Windows\SysWOW64\findstr.exe
          findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1176
        • C:\Windows\SysWOW64\chcp.com
          chcp
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1576
        • C:\Windows\SysWOW64\net.exe
          net user
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4964
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 user
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4544
        • C:\Windows\SysWOW64\net.exe
          net localgroup administrators
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2752
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 localgroup administrators
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2508
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:5088
        • C:\Windows\SysWOW64\systeminfo.exe
          systeminfo
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers system information
          PID:1184
        • C:\Windows\SysWOW64\reg.exe
          reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2072
        • C:\Windows\SysWOW64\find.exe
          find "REG_"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1104
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4596
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4836
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3860
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4064
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1880
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4308
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1692
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /all
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:2236
        • C:\Windows\SysWOW64\NETSTAT.EXE
          netstat -ano
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Connections Discovery
          • Gathers network information
          • Suspicious use of AdjustPrivilegeToken
          PID:4868
        • C:\Windows\SysWOW64\ARP.EXE
          arp -a
          4⤵
          • Network Service Discovery
          • System Location Discovery: System Language Discovery
          PID:2560
        • C:\Windows\SysWOW64\NETSTAT.EXE
          netstat -r
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:1432
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3580
            • C:\Windows\SysWOW64\ROUTE.EXE
              C:\Windows\system32\route.exe print
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4320
        • C:\Windows\SysWOW64\net.exe
          net start
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3820
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start
            5⤵
            • System Location Discovery: System Language Discovery
            PID:728
        • C:\Windows\SysWOW64\net.exe
          net use
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3756
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo n"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1204
        • C:\Windows\SysWOW64\net.exe
          net share
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3816
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 share
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3248
        • C:\Windows\SysWOW64\net.exe
          net view /domain
          4⤵
          • System Location Discovery: System Language Discovery
          • Discovers systems in the same network
          PID:3684
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3892
        • C:\Windows\SysWOW64\find.exe
          find /i /v "------"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1904
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2140
        • C:\Windows\SysWOW64\find.exe
          find /i /v "domain"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:468
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1744
        • C:\Windows\SysWOW64\find.exe
          find /i /v "¬A╛╣"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3424
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4820
        • C:\Windows\SysWOW64\find.exe
          find /i /v "░⌡ªµª¿"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4376
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2832
        • C:\Windows\SysWOW64\find.exe
          find /i /v "├ⁿ┴ε"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1576
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4944
        • C:\Windows\SysWOW64\find.exe
          find /i /v "completed successfully"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\wmimgmt.exe

    Filesize

    80KB

    MD5

    bf7b61b7d5984c357907a111480602e8

    SHA1

    95d79d6f7da79b6487fb19431134ccb09fc027b8

    SHA256

    520a97331c488c176432b18191957390c3e4961af04fa14d8e39482764bade1c

    SHA512

    cce9cd58fcb907618f0289ceb4a63bf9ca8df5bb53a6fa559db68c31f8c05e786b5c862218fc49dc68b2a18d7ecf7d81d9c781a3876455f42420ae21e4443b14

  • C:\Users\Admin\AppData\Local\Temp\INFO.TXT

    Filesize

    43B

    MD5

    04c4cb4dd076cac072f427d020699c42

    SHA1

    4ff2543d8c1279105d191546aab7fe29d3f1bb6c

    SHA256

    2a22056355efded2a78c32c0b27ed02c6a8e4177e25cf02c83d1de377531f079

    SHA512

    65ef8e83759fce0b9f5a10acb5dcd7fa8a426ed5f4cf203a248086525737df685a1b00a876c9e1716f8682173698a66c4a6915d8d1ceec2da6f4764e29d82fd9

  • C:\Users\Admin\AppData\Local\Temp\INFO.TXT

    Filesize

    12KB

    MD5

    9f7b56e3b44736a7bd2de90e51ef1dd6

    SHA1

    d212fe4b7d98ce3da41c2350084afce5f7d9a535

    SHA256

    63b9d3237df537c2ce9665b92675403205308cdf2da705f0440fe6f5abddc853

    SHA512

    aec09aa37bc501ad1d917dfb5f322cd7b1d9d1e070aa7b4dc52f1fed64726e04ca5b47aa62c023394a30cf36011b6867f5914f9630b4d9cb776b272bd8a7c3e9

  • C:\Users\Admin\AppData\Local\Temp\INFO.TXT

    Filesize

    37.5MB

    MD5

    c4ae1add9896d479b0879182fbfc0e6f

    SHA1

    336c17d4670b2ec8f909ebdc0342cdf865695780

    SHA256

    60f5407206a9f6bfaa3fe7dcc11533c3097a4957c13acb3ed5beb8da40495268

    SHA512

    b04f17446f9985f8aee9df4309e5f95b747035f3855d479852b74bba162130872a085961e4f3eb85f9c749d4765f48c20d0302023cafc981f6329eb62ceb7911

  • C:\Users\Admin\AppData\Local\Temp\avp.exe

    Filesize

    25KB

    MD5

    d1c53b02d8e555d4c9d01c50da28ee8d

    SHA1

    cac0e3ead0758b2f889735e9e01a0d65af8392ab

    SHA256

    5b199306d8b7c40b38c7f73a47395f7bbbc65da3f474ee2daad83ae4199ba809

    SHA512

    711d89461ee90874f360fd83db5cf753f2337a2991002983689936814730cfdbf5e54ce8f0164f12aca84252f712cbdcb4563a593a642e8c1dbf6687e4b5cc4f

  • C:\Users\Admin\AppData\Local\Temp\drivers.p

    Filesize

    15B

    MD5

    4ff8e80638f36abd8fb131c19425317b

    SHA1

    358665afaf5f88dfebcdb7c56e963693c520c136

    SHA256

    6b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626

    SHA512

    d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1

  • C:\Users\Admin\AppData\Local\Temp\ghi.bat

    Filesize

    3KB

    MD5

    5431296029e067a37ab14127c8fbf3f6

    SHA1

    0e6106b3984b7e48a62d7d439324528ad9948793

    SHA256

    4a51230e15fd4dee03618c89eb0b2068e19de35660ce24acfc9505de1644d9e6

    SHA512

    5be870e295ed808f283bf969ca54789572e985fba16cb6fe9c088712381c0e4e44209cf39cebb367060914979d92517d99a1d3cf7d1d5531645b3fa08ae5a149

  • C:\Users\Public\Documents\Media\D1C7B476.db

    Filesize

    64B

    MD5

    a089b0c1a3dc621cd2855b674d275689

    SHA1

    645c4be3bcaef74c8689efc46e47598dbf6cadf6

    SHA256

    427907be5bc0944644dfd6625a927e6019b1579e327795bfa0aa8f0094caae79

    SHA512

    b255eaf384d517a8f9f31a9644e29e6fadbc2d9cc6bfd044a359c89430fb4542c98bec73d6f8f29b11a94f3ba27053129ce4be069519ba39205675049e49b9d1

  • memory/3476-51-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4892-0-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4892-7-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB