Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    16s
  • max time network
    16s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2024, 18:10

Errors

Reason
Machine shutdown

General

  • Target

    dcc6b52d7842b93ca9ca99adb1bb6aca_JaffaCakes118.msi

  • Size

    7.1MB

  • MD5

    dcc6b52d7842b93ca9ca99adb1bb6aca

  • SHA1

    61b6684ecc133f98e62226838177fbb867211385

  • SHA256

    b4420920593ccd0a26d9a99b8a8d027a1232a09148b074a983bfa1e850dd3ff2

  • SHA512

    2f13eda67d438cb3e13fb47a83a1bcc2ecccdac640dc9646ef0462d311e56c27544bfe7ce1fb324eec93611d01b9fc38c43cad824712bb25a970b29b4b9fb425

  • SSDEEP

    196608:DL4WstqqyuOsO/4MhiLX3HUP8zNvvn21IKXKlyOzw:DkWfHuOsOgMhij3dzhenVT

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 14 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 2 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\dcc6b52d7842b93ca9ca99adb1bb6aca_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4728
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 0A67B6F53A3639C5C766B1E2569893F0
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3308
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:3576
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:3156
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2132
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4136
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1416
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1160
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:3212
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4256
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1100
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:5040
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:716
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1240
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:876
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1300
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8443 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:3436
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1224
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2316
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4332
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:3228
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4152
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1648
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4564
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2376
    • C:\Windows\Installer\MSI8989.tmp
      "C:\Windows\Installer\MSI8989.tmp" /HideWindow "C:\Msupdate\service.bat"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Msupdate\service.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2520
        • \??\c:\Msupdate\instsrv.exe
          c:\Msupdate\instsrv.exe Msupdate c:\Msupdate\srvany.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:984
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s 1.reg
          4⤵
          • System Location Discovery: System Language Discovery
          • Runs .reg file with regedit
          PID:716
        • C:\Msupdate\update.exe
          update.exe /S
          4⤵
          • Drops file in Drivers directory
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4080
          • C:\Windows\SysWOW64\net.exe
            net stop npf
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:404
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop npf
              6⤵
              • System Location Discovery: System Language Discovery
              PID:876
          • C:\Windows\SysWOW64\net.exe
            net start npf
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:540
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 start npf
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2632
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa394c855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e578475.rbs

    Filesize

    13KB

    MD5

    714b3f24cca1309cf1a2527128560a24

    SHA1

    e5b8557056dbeb6b68535a5d25bf2e7027dfaf7f

    SHA256

    93f84d718573d612cd18a927f7ad8c4d27adb409309464f1685110922ec2be31

    SHA512

    85659b263282fcfa31d5b91be6331ee7dc2a9409abe69a4d94b27f803a1da16c5f200fd5fe318013a7083067e7118a57f42ae6ad8b3fe2c9f32cceb17f755572

  • C:\Msupdate\1.reg

    Filesize

    416B

    MD5

    8dacf3ded9159fb1f5b065215e1fd8aa

    SHA1

    0c43e91b996ca72b75a02de3f85a695ded7a4a5e

    SHA256

    1d5766733fdbeb1ecd8ddc4c49634d96024398621a55f3de9d20dbdc9f3c24c5

    SHA512

    a682ce938d8ecb78fd93e085c35f868968ad9e94b571fcf4de3c007314dfa5495304e31f643f8f3df2f553dadd6cc65f932479103c7570c4ba9939839d6eb0c6

  • C:\Msupdate\instsrv.exe

    Filesize

    31KB

    MD5

    9f7acaad365af0d1a3cd9261e3208b9b

    SHA1

    b4c7049562e770093e707ac1329cb37ad6313a37

    SHA256

    f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c

    SHA512

    6847bb10cf08f7e594907b5d160768e60468b14a62cdd87ad33dcc0bc2b523549c1c91e9854069ca11ee074e43a6f41f11351201626922c02aaea41fd32c2a54

  • C:\Msupdate\service.bat

    Filesize

    88B

    MD5

    b10428f1774d2caa81092891a980f9e7

    SHA1

    6fb6df8cb4d293c0e0264c83d97f016fbb0da926

    SHA256

    884abdf05624ab4d76db2e35720014a616378d299a8c64ab3743d9320258886c

    SHA512

    9412ac38e876f9232172c6ff6d890dd0c2d1258126bf712602a9e5795ed52aadebad113fc0b985557b615f6305b704ce19bb3440942ee02f56b06793cb4ee105

  • C:\Msupdate\update.exe

    Filesize

    422KB

    MD5

    c6f1d4a6cccd04e4b15a96942372d5f7

    SHA1

    2f79839fe5cb740f21b29dae3181f43c1ae9de9c

    SHA256

    89b74dc79f229b0488bf43b552da9f84864a6a38c11039898e4f9d854411a26e

    SHA512

    1ce87f5b4b0897a6a4cd4d9a58548db47d335eba860714598b297a939e476edc6a8b3e597b71ee92e655857c2320f5812e375da4d67d503e70623f6828eb2119

  • C:\Users\Admin\AppData\Local\Temp\nsw8B3A.tmp\System.dll

    Filesize

    11KB

    MD5

    00a0194c20ee912257df53bfe258ee4a

    SHA1

    d7b4e319bc5119024690dc8230b9cc919b1b86b2

    SHA256

    dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

    SHA512

    3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

  • C:\Users\Admin\AppData\Local\Temp\nsw8B3A.tmp\nsExec.dll

    Filesize

    6KB

    MD5

    e54eb27fb5048964e8d1ec7a1f72334b

    SHA1

    2b76d7aedafd724de96532b00fbc6c7c370e4609

    SHA256

    ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

    SHA512

    c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

  • C:\Windows\Installer\MSI84C0.tmp

    Filesize

    243KB

    MD5

    aaab8d3f7e9e8f143a17a0d15a1d1715

    SHA1

    8aca4e362e4cdc68c2f8f8f35f200126716f9c74

    SHA256

    fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889

    SHA512

    1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

  • C:\Windows\Installer\MSI8679.tmp

    Filesize

    380KB

    MD5

    3eb31b9a689d506f3b1d3738d28ab640

    SHA1

    1681fe3bbdcbe617a034b092ea77249dd4c3e986

    SHA256

    3a7d9cdd6be9ce0e4d01e9894242b497536336bf1850fb0a814a369c8a189c46

    SHA512

    2598e39f4fd139775bbb040218af802db722d4dca99a4230edfde282362b433c5e30c15d5385063aa76bff916031b0e43586ef05d2ada4edc3c1410371b98e09

  • C:\Windows\Installer\MSI8989.tmp

    Filesize

    17KB

    MD5

    73c578ca2383a2e7f4687cdee410aefe

    SHA1

    431b7de3091245b3affbf1911da17a6964b813dc

    SHA256

    67fdafaf7c115fab48e50b3031f8b7f599770ca333321ded1dcb24db06fe6db1

    SHA512

    915d88ec68e061c880f319345a4e5d709b4e789b5cc3c6a1c84fd83cc95fe765ef7324a722abf8935f2f8567bffbb3ede9e78fb4baa3f004118959f7ae7f43dd

  • \??\c:\Msupdate\srvany.exe

    Filesize

    8KB

    MD5

    4635935fc972c582632bf45c26bfcb0e

    SHA1

    7c5329229042535fe56e74f1f246c6da8cea3be8

    SHA256

    abd4afd71b3c2bd3f741bbe3cec52c4fa63ac78d353101d2e7dc4de2725d1ca1

    SHA512

    167503133b5a0ebd9f8b2971bca120e902497eb21542d6a1f94e52ae8e5b6bde1e4cae1a2c905870a00d772e0df35f808701e2cfbd26dcbb130a5573fa590060