Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 18:29

General

  • Target

    dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    dea93f1cf0308015e42e51b05ef13bd4

  • SHA1

    ef049f6085dbac0812ac290c8ecebdea689302e6

  • SHA256

    403bb8f98bf5d3a930330989a8e283738f64e6977d53697789a87f89db8acc37

  • SHA512

    ba0e3ba096083a7202181504ec1fcaf7b3c11f9d071d9021a051e9c200b7d17aecb1e1a8be4f86b3794534bddd96ce2a77c0ffd1fc991cb68ab69f709326a5c2

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj60:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5/

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 19 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dea93f1cf0308015e42e51b05ef13bd4_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\SysWOW64\fpwiaaytbq.exe
      fpwiaaytbq.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:588
      • C:\Windows\SysWOW64\icloyufl.exe
        C:\Windows\system32\icloyufl.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2884
    • C:\Windows\SysWOW64\trsbixxhbjawcnj.exe
      trsbixxhbjawcnj.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2424
    • C:\Windows\SysWOW64\icloyufl.exe
      icloyufl.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2728
    • C:\Windows\SysWOW64\sczeojbjsotzz.exe
      sczeojbjsotzz.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2840
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2320

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      7cd334ea6e7c169c170377bb37f7621c

      SHA1

      8d6b581bec462ec25139dbbaa86edeaa8d968bd7

      SHA256

      b3878c8d4662b2d7854646f94c1b0727e77eab3f665f6b1342dc28446d765b04

      SHA512

      0c3eb9c85287931860da7e066adff40303eb4e61e0ffef268b52f677e4d3a8df0b99500c0802db343f80e5260e3879bccc8353e56742e9044d4a8331d0960efa

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      b2f589ff61ddf905b8c22d055862bd6c

      SHA1

      239788bfd057f9fc0c6c90360df244252053b3c1

      SHA256

      22f3dd57f9aba03801c960aba9d071505b867afae989c55905660ee79cfa5df7

      SHA512

      3be5033792fec5ca661ebdab9750382175ccc1994c2a23f4e55ed7694add59b7df570432b9592a40012be0289d3930f3512e7562c0f99d4f69f9b1236c7e2cee

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      514b32e3f5c738d1a0b14ce643cd957f

      SHA1

      c2007424c4d102420a8797069c15ef8c3269219a

      SHA256

      9a15ffa100a846ce8d4e4885434fc8bfd60122b9bc7091abc647e68a84550956

      SHA512

      2c59c54f115bf51c125d4f12a118c332d7ed976cd3b1a4ba4bbec13fee22a7868370c2702194e3b2f3edf5008bde8d3558e7fc7a7aff5262eb73dd7dbf346c23

    • C:\Windows\SysWOW64\icloyufl.exe

      Filesize

      512KB

      MD5

      ed69112d3f603dca52fab1666d811e56

      SHA1

      b6235ee01cf6fe51a5b2eb1398fbf31cc718317e

      SHA256

      704957c7915bdc43a9f2cb684d59f6f40923f97ebf6b19f577528d4f58bdd367

      SHA512

      62f37cc7fb66921e3ef450966490829c3e2e7b6d39e84ed89737384dd9dd8cac1a00d8f4431d858a775c0c6fbd1d086e464dc3988373b80523e35e31f411f0a5

    • C:\Windows\SysWOW64\trsbixxhbjawcnj.exe

      Filesize

      512KB

      MD5

      88d019930b9d87958fcee31e860eceb9

      SHA1

      5f2d07e28f8f18985a723f3d19599f12c55ff385

      SHA256

      7408a74fdacb650951ca500a640a35b3f852df6b9aa4a880bce75c8a062b87e1

      SHA512

      76db772acd77676f65be83d4864a40b8674156f38822ef0e76558effbf4f8281b672f632da49e9e28aaf35a442909bdaa51f0189711c46e480f838edf3a3d05a

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\fpwiaaytbq.exe

      Filesize

      512KB

      MD5

      abf9f7235c4daf3fe2077f05b1d49eb4

      SHA1

      6b03fc0344cbe1702eca0ebef2f7450ed38d24d3

      SHA256

      b832361dc310d5c4926484841ab65d991fe808c77a7c9850821e55d08461589e

      SHA512

      d643133a4e73898971abd5b15b8c382856136e6fd4c5f15fd13b8ff957a160516c9a09d7de0814394e7a8dbd542cfe2e118af18f50be7ca17e870d38de179f91

    • \Windows\SysWOW64\sczeojbjsotzz.exe

      Filesize

      512KB

      MD5

      bea69679df697fe4667366b913d2dd3f

      SHA1

      03efe4a4f8d7b66cbee875f9736e4be46c3deacb

      SHA256

      850c3aa9740384b056439c2a0fd1eac6cda0d46385e8c494973d474d9d293576

      SHA512

      da38cd837b3eda9772e7b9046c3f614371c2f315aad7717841b976619b64b5709f4fb471552e272c6bf3c6241fafd8720f979143ea6a8687d819de4121e5d0c6

    • memory/2316-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2364-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2364-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB