Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
31/08/2024, 16:14
Static task
static1
Behavioral task
behavioral1
Sample
cd23b9710a6f3bddf569663eca410316_JaffaCakes118.msi
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
cd23b9710a6f3bddf569663eca410316_JaffaCakes118.msi
Resource
win10v2004-20240802-en
General
-
Target
cd23b9710a6f3bddf569663eca410316_JaffaCakes118.msi
-
Size
428KB
-
MD5
cd23b9710a6f3bddf569663eca410316
-
SHA1
26afee2a515aa7c0d2ab691fadd85bfc948dcfbe
-
SHA256
193e8868bf9fbb4fc5edb8a0e2400796ee644114d8a401c8550ce0aa958665ac
-
SHA512
789589860b13b580604be4d7127bc340cc0d29bcf8e6cb6a9259bbf4623033f96addc41b1df41850ee273c9e642730cff5dbc54d75171bdf9caa727cd4ab13cd
-
SSDEEP
12288:sEfBZl1vvNQSnTlBZl1vvNQSnTnHrpq0sU5:sEJ1vvNQQTz1vvNQQTNq0x
Malware Config
Extracted
lokibot
http://pms-ne.kr/ikloki/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 332 set thread context of 1624 332 MSIEC44.tmp 36 -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\MSIEBE5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEC44.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f76eafb.msi msiexec.exe File opened for modification C:\Windows\Installer\f76eafb.msi msiexec.exe File created C:\Windows\Installer\f76eafe.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\f76eafe.ipi msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 332 MSIEC44.tmp 1624 MSIEC44.tmp -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2500 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIEC44.tmp -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2024 msiexec.exe 2024 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 62 IoCs
description pid Process Token: SeShutdownPrivilege 2500 msiexec.exe Token: SeIncreaseQuotaPrivilege 2500 msiexec.exe Token: SeRestorePrivilege 2024 msiexec.exe Token: SeTakeOwnershipPrivilege 2024 msiexec.exe Token: SeSecurityPrivilege 2024 msiexec.exe Token: SeCreateTokenPrivilege 2500 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2500 msiexec.exe Token: SeLockMemoryPrivilege 2500 msiexec.exe Token: SeIncreaseQuotaPrivilege 2500 msiexec.exe Token: SeMachineAccountPrivilege 2500 msiexec.exe Token: SeTcbPrivilege 2500 msiexec.exe Token: SeSecurityPrivilege 2500 msiexec.exe Token: SeTakeOwnershipPrivilege 2500 msiexec.exe Token: SeLoadDriverPrivilege 2500 msiexec.exe Token: SeSystemProfilePrivilege 2500 msiexec.exe Token: SeSystemtimePrivilege 2500 msiexec.exe Token: SeProfSingleProcessPrivilege 2500 msiexec.exe Token: SeIncBasePriorityPrivilege 2500 msiexec.exe Token: SeCreatePagefilePrivilege 2500 msiexec.exe Token: SeCreatePermanentPrivilege 2500 msiexec.exe Token: SeBackupPrivilege 2500 msiexec.exe Token: SeRestorePrivilege 2500 msiexec.exe Token: SeShutdownPrivilege 2500 msiexec.exe Token: SeDebugPrivilege 2500 msiexec.exe Token: SeAuditPrivilege 2500 msiexec.exe Token: SeSystemEnvironmentPrivilege 2500 msiexec.exe Token: SeChangeNotifyPrivilege 2500 msiexec.exe Token: SeRemoteShutdownPrivilege 2500 msiexec.exe Token: SeUndockPrivilege 2500 msiexec.exe Token: SeSyncAgentPrivilege 2500 msiexec.exe Token: SeEnableDelegationPrivilege 2500 msiexec.exe Token: SeManageVolumePrivilege 2500 msiexec.exe Token: SeImpersonatePrivilege 2500 msiexec.exe Token: SeCreateGlobalPrivilege 2500 msiexec.exe Token: SeBackupPrivilege 1312 vssvc.exe Token: SeRestorePrivilege 1312 vssvc.exe Token: SeAuditPrivilege 1312 vssvc.exe Token: SeBackupPrivilege 2024 msiexec.exe Token: SeRestorePrivilege 2024 msiexec.exe Token: SeRestorePrivilege 2804 DrvInst.exe Token: SeRestorePrivilege 2804 DrvInst.exe Token: SeRestorePrivilege 2804 DrvInst.exe Token: SeRestorePrivilege 2804 DrvInst.exe Token: SeRestorePrivilege 2804 DrvInst.exe Token: SeRestorePrivilege 2804 DrvInst.exe Token: SeRestorePrivilege 2804 DrvInst.exe Token: SeLoadDriverPrivilege 2804 DrvInst.exe Token: SeLoadDriverPrivilege 2804 DrvInst.exe Token: SeLoadDriverPrivilege 2804 DrvInst.exe Token: SeRestorePrivilege 2024 msiexec.exe Token: SeTakeOwnershipPrivilege 2024 msiexec.exe Token: SeRestorePrivilege 2024 msiexec.exe Token: SeTakeOwnershipPrivilege 2024 msiexec.exe Token: SeRestorePrivilege 2024 msiexec.exe Token: SeTakeOwnershipPrivilege 2024 msiexec.exe Token: SeRestorePrivilege 2024 msiexec.exe Token: SeTakeOwnershipPrivilege 2024 msiexec.exe Token: SeDebugPrivilege 332 MSIEC44.tmp Token: SeRestorePrivilege 2024 msiexec.exe Token: SeTakeOwnershipPrivilege 2024 msiexec.exe Token: SeRestorePrivilege 2024 msiexec.exe Token: SeTakeOwnershipPrivilege 2024 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2500 msiexec.exe 2500 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2024 wrote to memory of 332 2024 msiexec.exe 35 PID 2024 wrote to memory of 332 2024 msiexec.exe 35 PID 2024 wrote to memory of 332 2024 msiexec.exe 35 PID 2024 wrote to memory of 332 2024 msiexec.exe 35 PID 332 wrote to memory of 1624 332 MSIEC44.tmp 36 PID 332 wrote to memory of 1624 332 MSIEC44.tmp 36 PID 332 wrote to memory of 1624 332 MSIEC44.tmp 36 PID 332 wrote to memory of 1624 332 MSIEC44.tmp 36 PID 332 wrote to memory of 1624 332 MSIEC44.tmp 36 PID 332 wrote to memory of 1624 332 MSIEC44.tmp 36 PID 332 wrote to memory of 1624 332 MSIEC44.tmp 36 PID 332 wrote to memory of 1624 332 MSIEC44.tmp 36 PID 332 wrote to memory of 1624 332 MSIEC44.tmp 36 PID 332 wrote to memory of 1624 332 MSIEC44.tmp 36 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cd23b9710a6f3bddf569663eca410316_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2500
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\Installer\MSIEC44.tmp"C:\Windows\Installer\MSIEC44.tmp"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\Installer\MSIEC44.tmp"C:\Windows\Installer\MSIEC44.tmp"3⤵
- Executes dropped EXE
PID:1624
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005E0" "0000000000000584"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
663B
MD526321291d0961bfb74e0e41adeaec74f
SHA1f3aa683b9b6b9b00456fb6014beb3dcda6e4860b
SHA256753c38e36ef65c59123cdcc94208394f5bc2cd0518fed777c8b7297b0f2a3160
SHA5127cf2297b239fc937d57d0756e95da75f77bca7a48a5553aa227370154a4905b210fe1291a94d7f81ef931eda676251b12a51eff22764ac3db19c597a4e97546c
-
Filesize
401KB
MD542f0ce29970a9ab24c4d01d061091bca
SHA1c871ab752d547956b4ea1f3944b3b32a793e7112
SHA256a8b1fd6c71325bc5a80c2a175dfcb39fddc77b2125f8065c63636dfdff9bab7f
SHA5126b9d538b41ff821f6b95d0722c76fd2d940053990e7d782ba8f39fc71e357ed655528361cc7e961b7bc141ac4be38e926102876ecfd4cd22600fa87a97f538ad