Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

d6c086bd2c...18.msi

windows7-x64

10

d6c086bd2c...18.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/09/2024, 17:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6c086bd2cb9f0bad442d057fb922d76_JaffaCakes118.msi

  • Size

    1012KB

  • MD5

    d6c086bd2cb9f0bad442d057fb922d76

  • SHA1

    c6d62de15313918968ca2de3cd4233d2177fa848

  • SHA256

    753aad9e9c12de41f51b1316c4aa6b50c3f359f12b09a72ece99bd6cce2e6537

  • SHA512

    869757a0bd7852656c0694564dc21cd577a90b6cfa1c67bad3db61288bd951b55969e62b24f7e0ddad516bf98c7b046b20a95535a637650d9cef0b8b03faac9b

  • SSDEEP

    12288:hEt8ZPcBLP41FUCtmHlgDvq7BOTszKS6mCZ0e8kcJ+:hEt8a5gbUFHA0By0e5cJ+

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d6c086bd2cb9f0bad442d057fb922d76_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4764
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3944
    • C:\Windows\Installer\MSIF4D1.tmp
      "C:\Windows\Installer\MSIF4D1.tmp"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SekcVGmvsmWO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC520.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1052
      • C:\Windows\Installer\MSIF4D1.tmp
        "C:\Windows\Installer\MSIF4D1.tmp"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:800
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

System Binary Proxy Execution

1
T1218

Msiexec

1
T1218.007

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57f34c.rbs
    Filesize

    663B

    MD5

    d54bf977078df21b48910539ad17e21b

    SHA1

    dce01852d2ddaadb84fc0d15b905156256d5f574

    SHA256

    ff475a459b6be42242c1d15b4f36b88b0e7ab4d0f1db1a26a519ec7cff355e30

    SHA512

    b54c62df5cd9f7202fc0017de8fd9ebbd06b4f82764198ae27acba5021d4604dcd3cb03ce691e63b6ff12dd68af9b61050a69fa128e94eb6f940c957479e189c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSIF4D1.tmp.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpC520.tmp
    Filesize

    1KB

    MD5

    180aee515447773678c9fe5746f683a9

    SHA1

    1866443f1bd5b018665c5af83e7a8c1593d15563

    SHA256

    dea0f2c1a6c06b39e7af9fa7212f32bb680dd2c77cd1a67b6416a9e7fe622163

    SHA512

    c4242fb09b3cc4aaf0433d4b86c5a2ef64108ef35a323e2af35126c35fe0bcf99890d187889f3323f2db6fb3a5fe6ac4517356224684da8623b988267cea3cf9

    Download Submit

  • C:\Windows\Installer\MSIF4D1.tmp
    Filesize

    984KB

    MD5

    0575ec33b5638907ac7cc23c0775f2c6

    SHA1

    6797cf3cd0035c5ba16ea24a93203c89ee5b70b0

    SHA256

    b7ea1c16cfa57e9787464e48363ff5d004df399cecc75f234e8145191742fd6f

    SHA512

    10873b91906a32ee65b04eebf80a503070c489ba9d563db5e39a2df202c9ae18b64e2717a3082e780f6d937747fb63e749596e41f192bc5a979c0523f24bd3fa

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.7MB

    MD5

    94784e22f49ea3945b7439d8f11f9eeb

    SHA1

    b419fec0f1fb2b64c743e703b2394ee99af68aeb

    SHA256

    4290f6fae694a99e82d42572f4526e65c5c83714850437f11f5d7c406a9c2e75

    SHA512

    92ee46750f893cea5bcbf7eba9a554b9762e6a69353810567b5414e0bfadf4a1712e1f22cff0e150fa32ad41db86f259db79005f4dafe33ad537448590b705e0

    Download Submit

  • \??\Volume{83bffa96-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2b306eb6-4c26-44d2-9e74-3b6e6d41723c}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    f828a19e9bb8a4f0611e865a3940cb1a

    SHA1

    555d9aa9197fb1d3602ac4e6fa0c376c3bd5471e

    SHA256

    97964a27c04e6b93ccee0a3522aa6e8ff9c946f53f6f066c5b611d9f58519a1a

    SHA512

    8e952fcb438e8c091d4982a304faffd0883f40079539452f711f70832fa9af3eb8df4f6d67c2ebd14b8572e29bd138d2ff899ebf6b6ff891b4e92f69d9e48a70

    Download Submit

  • memory/800-47-0x0000000006BA0000-0x0000000006BF0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/800-46-0x0000000006040000-0x000000000604A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/800-45-0x00000000054B0000-0x0000000005516000-memory.dmp

    Filesize

    408KB

    Download

  • memory/800-42-0x00000000050B0000-0x00000000050C8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/800-33-0x0000000000580000-0x00000000005DA000-memory.dmp

    Filesize

    360KB

    Download

  • memory/5036-15-0x00000000056A0000-0x0000000005C44000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5036-29-0x0000000002AC0000-0x0000000002ACA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5036-19-0x0000000006AD0000-0x0000000006B44000-memory.dmp

    Filesize

    464KB

    Download

  • memory/5036-18-0x0000000006880000-0x000000000691C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5036-17-0x0000000005280000-0x000000000528A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5036-16-0x00000000051D0000-0x0000000005262000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5036-13-0x0000000000830000-0x000000000092C000-memory.dmp

    Filesize

    1008KB

    Download