Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11/09/2024, 05:18

General

  • Target

    d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe

  • Size

    345KB

  • MD5

    d9af5dd07a77a24d5499164aed22dc0a

  • SHA1

    36aeb648e254ff72689ef8c95ab5851f95c8a73e

  • SHA256

    5113f7698c80f8183b0fd72ff91adeed308b93937fc9ca9aefb8d7f878569fd3

  • SHA512

    29328a3081a6939d370ae5d039490a3637b24d7c8f7420fa0d7e5f33d31b60fdbea2286d42580ba40b5a8d05c962616b59765b7ad4fe82bde340d9c11a90a1e7

  • SSDEEP

    6144:S58/+dBOIfjkkODm7aNXcdVcUdc+1znmBDFV1ZE3furMpN0tKPo3/3Y:NkOYLODm7aZc1dnzngTZ2u0xPy/o

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ik

Decoy

aktfh.com

gzxcserver.com

ollgabruell-fengshui.com

peggyhaddadinteriors.com

tamoxifencitrate.store

dongygiatruyendactri.com

dosti-desire-thane.info

hidejunkie.com

client76212.review

chopaankabobhouse.com

sboz1.com

oilbularya.com

peachyfindz.com

chroniclephotograhpy.com

ynherbaltea.com

lirong2019.com

coolcloudhvac.singles

ruimingwuye.com

xinyue-vip-qq-dnf-com.site

binaprimamultiutama.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Formbook payload 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\SysWOW64\nslookup.exe
        "C:\Windows\system32\nslookup.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:89192
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 600
        3⤵
        • Program crash
        PID:89204
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:89292
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\nslookup.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:89344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\46O9O6BE\46Ologim.jpeg

    Filesize

    87KB

    MD5

    68c01bc47d1045c9e8dda48a10ec7b51

    SHA1

    3a207ceabee302c6ad8c7420afceb375acb7a52d

    SHA256

    c02302d396b58a3fd040d7a9ca77707bc294c2565a09e544853e64506c6a4eed

    SHA512

    75d2fbdb18c69d293609bc175eb4fd883f05530705bfac9f15101edc1d5458e0d134d473530d2db263ee2da524570c695d70e7961cec9dd751b02562c18ed539

  • C:\Users\Admin\AppData\Roaming\46O9O6BE\46Ologri.ini

    Filesize

    40B

    MD5

    d63a82e5d81e02e399090af26db0b9cb

    SHA1

    91d0014c8f54743bba141fd60c9d963f869d76c9

    SHA256

    eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

    SHA512

    38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

  • C:\Users\Admin\AppData\Roaming\46O9O6BE\46Ologrv.ini

    Filesize

    40B

    MD5

    ba3b6bc807d4f76794c4b81b09bb9ba5

    SHA1

    24cb89501f0212ff3095ecc0aba97dd563718fb1

    SHA256

    6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

    SHA512

    ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

  • C:\Windows\win.ini

    Filesize

    517B

    MD5

    893cae59ab5945a94a7da007d47a1255

    SHA1

    d4cfd81c6647ca64022bd307c08a7fb4bbbd4c06

    SHA256

    edfa0f2d3bea9f737e0315971c6f81d3d8e7d460b60a19351ada0316a093c938

    SHA512

    d66e454781f54f45df814ad32d687b0f100578c2a4ffca62de81add04281fb881a550702bd2d058933d3736d14e88624af268a86ce24b0c3935242b206ffdcc9

  • \Users\Admin\AppData\Local\Temp\coffer.dll

    Filesize

    34KB

    MD5

    9efcdaec062823e9749250da225dfe4d

    SHA1

    1d6209a71c061729683ce81890f2d8c0c02c6e05

    SHA256

    04904de1d15bb931cf85eadb7714bd53f7236de0fbc1f62c22aafb3470ff847c

    SHA512

    b7faee0a4c769ee39fc11fe20c6ec362b6802e9fd7f81d8a495f1423263af8074cf995c1ff8d964680c10c3026e69ddb66e749b9b29784309502d805673a720a

  • \Users\Admin\AppData\Local\Temp\nsjDBC1.tmp\Splash.dll

    Filesize

    4KB

    MD5

    3f35f73787f0c3bb5e59445fb18ade0d

    SHA1

    f1566faff96c3988cfc28dc7d433094b6348cdbf

    SHA256

    5570969d22a33c23b60c5f5536f781219e458a869b77b8dde4a94cc124ee4de6

    SHA512

    45c42ea95f53a3b8a3fd74bd55ad6f0b3f2b91dd969104de845fd819fe307dec2b4d472bee45554500b0c51052ee82ac98196e894af806edf67a947328474e57

  • \Users\Admin\AppData\Local\Temp\nsjDBC1.tmp\System.dll

    Filesize

    11KB

    MD5

    fbe295e5a1acfbd0a6271898f885fe6a

    SHA1

    d6d205922e61635472efb13c2bb92c9ac6cb96da

    SHA256

    a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

    SHA512

    2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

  • memory/1200-100042-0x0000000004CA0000-0x0000000004D7B000-memory.dmp

    Filesize

    876KB

  • memory/1200-100039-0x00000000000A0000-0x00000000001A0000-memory.dmp

    Filesize

    1024KB

  • memory/1200-100054-0x0000000004E10000-0x0000000004EBE000-memory.dmp

    Filesize

    696KB

  • memory/1200-100052-0x0000000004E10000-0x0000000004EBE000-memory.dmp

    Filesize

    696KB

  • memory/1200-100051-0x0000000004E10000-0x0000000004EBE000-memory.dmp

    Filesize

    696KB

  • memory/1200-100046-0x0000000004CA0000-0x0000000004D7B000-memory.dmp

    Filesize

    876KB

  • memory/2632-100034-0x0000000000480000-0x0000000000489000-memory.dmp

    Filesize

    36KB

  • memory/2632-100033-0x0000000077C60000-0x0000000077E09000-memory.dmp

    Filesize

    1.7MB

  • memory/2632-26-0x00000000003F0000-0x00000000003F7000-memory.dmp

    Filesize

    28KB

  • memory/2632-25-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

  • memory/2632-23-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

  • memory/89192-100040-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/89192-100041-0x00000000001A0000-0x00000000001B4000-memory.dmp

    Filesize

    80KB

  • memory/89192-100043-0x0000000000090000-0x0000000000095000-memory.dmp

    Filesize

    20KB

  • memory/89192-100037-0x00000000008C0000-0x0000000000BC3000-memory.dmp

    Filesize

    3.0MB

  • memory/89192-100036-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/89192-100035-0x0000000000090000-0x0000000000095000-memory.dmp

    Filesize

    20KB

  • memory/89292-100045-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

    Filesize

    32KB

  • memory/89292-100044-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

    Filesize

    32KB