Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 18:10
Static task
static1
Behavioral task
behavioral1
Sample
d6d930833f8f2ede9362a09329e7f4ac_JaffaCakes118.ps1
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d6d930833f8f2ede9362a09329e7f4ac_JaffaCakes118.ps1
Resource
win10v2004-20240802-en
General
-
Target
d6d930833f8f2ede9362a09329e7f4ac_JaffaCakes118.ps1
-
Size
465KB
-
MD5
d6d930833f8f2ede9362a09329e7f4ac
-
SHA1
38984a2cd22557db3ee44b29a9d7100fffa5ce39
-
SHA256
7159c94e767e0c5e2bdbcd02f04bffd4226f174dc46755995cd7679c289f6cae
-
SHA512
632d51bb1112e7518a186321535908a7da6cd42540dbf2fd10c73f32b6e2a75a26dd68b6829d27608758ee63d3b788bc4ae8128842ae59cb1b6ab47eb8a93e7a
-
SSDEEP
12288:zZUvcU//JjlmM6WSFXJlirXraVnOkul3MvXq1BR:z5aJ8M6TLSXu0kuZMvXQR
Malware Config
Extracted
lokibot
http://webxpo.ga/luky/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 1 IoCs
pid Process 2596 liys.exe -
Loads dropped DLL 2 IoCs
pid Process 2596 liys.exe 2596 liys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook cmd.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook cmd.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WIRE1x (2.5.1) = "\\WIRE1x_2_5_1.exe" liys.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\win.ini liys.exe -
pid Process 2316 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language liys.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2316 powershell.exe 2596 liys.exe 2596 liys.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2596 liys.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 24996 cmd.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2596 2316 powershell.exe 31 PID 2316 wrote to memory of 2596 2316 powershell.exe 31 PID 2316 wrote to memory of 2596 2316 powershell.exe 31 PID 2316 wrote to memory of 2596 2316 powershell.exe 31 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 PID 2596 wrote to memory of 24996 2596 liys.exe 32 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook cmd.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook cmd.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\d6d930833f8f2ede9362a09329e7f4ac_JaffaCakes118.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Public\liys.exe"C:\Users\Public\liys.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:24996
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3063565911-2056067323-3330884624-1000\0f5007522459c86e95ffcc62f32308f1_de87a6d6-9d44-4942-9ec6-2be31b435411
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3063565911-2056067323-3330884624-1000\0f5007522459c86e95ffcc62f32308f1_de87a6d6-9d44-4942-9ec6-2be31b435411
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
331KB
MD576fea88e7cc12f4804be22b43d3f5a37
SHA12ad73e1ca4841ff3662e096823fd27b207f8c426
SHA25655091223ddb1dc68ac04838e9af589698b467936cd85f138beb4ebfee0f4d5b9
SHA512e2c90897bca3378adc1963437dfaa436c3d27e0dddba95106d931d1f85c02f5a92511027083d3db2bda8de868f52215366c5c0c80939b7f3d6ca08e9366d2477
-
Filesize
517B
MD5893cae59ab5945a94a7da007d47a1255
SHA1d4cfd81c6647ca64022bd307c08a7fb4bbbd4c06
SHA256edfa0f2d3bea9f737e0315971c6f81d3d8e7d460b60a19351ada0316a093c938
SHA512d66e454781f54f45df814ad32d687b0f100578c2a4ffca62de81add04281fb881a550702bd2d058933d3736d14e88624af268a86ce24b0c3935242b206ffdcc9
-
Filesize
12KB
MD50d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
Filesize
15KB
MD597118f2a22b8c2491e1e6742eb1814dc
SHA1b0565442c5e5439345d8f091de17fb09d3b8e730
SHA2564137be35eb69654f4bc1204c92a4b0a3f4948bbbd2db5dd0fbbdadb6972f4214
SHA512812f6989d393ee8e873bda8236540a9e460a9af27576b3485cbefc2100f8a0eee4be40b9976c13a84a763d4e2f42e091e673041acb4070dae6688781fe52cda1