Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/09/2024, 23:36

General

  • Target

    e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe

  • Size

    841KB

  • MD5

    e143087e244e6bced278e4a16f9f1445

  • SHA1

    70c17b71957e185cd09181ac0a317135e7a797db

  • SHA256

    fca7ad5c5619d248df1b82d1dc8fdc61682ea89192ce61dff70c6e3621032988

  • SHA512

    cf47d36d1e673065066f1184c4457b157b3c7c37425e59be0726f250de4b3afac85522ab1f2154b6043d32c985bffa77ac7b1aba2e46acf4e3d0ea3d147b59ef

  • SSDEEP

    24576:Y1ckvnJDH7oH1haz/5qgxuLh62tLqazx5QwLzyUSSykQ59aIkPTr:Y1vvJz8H1hU/5qgQ62Bqad5g0yksxkrr

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modifies security service 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • ModiLoader Second Stage 9 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Deletes itself 1 IoCs
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 17 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 53 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops desktop.ini file(s) 2 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious use of UnmapMainImage
    PID:332
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
      PID:856
    • C:\Users\Admin\AppData\Local\Temp\e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe"
      1⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Users\Admin\AppData\Local\Temp\e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
        e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Users\Admin\miGRu6Gcu2.exe
          C:\Users\Admin\miGRu6Gcu2.exe
          3⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2724
          • C:\Users\Admin\kajek.exe
            "C:\Users\Admin\kajek.exe"
            4⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:2264
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c tasklist&&del miGRu6Gcu2.exe
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2596
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              5⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2748
        • C:\Users\Admin\alhost.exe
          C:\Users\Admin\alhost.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2616
          • C:\Users\Admin\alhost.exe
            alhost.exe
            4⤵
            • Executes dropped EXE
            • Maps connected drives based on registry
            • Suspicious behavior: EnumeratesProcesses
            PID:1720
        • C:\Users\Admin\blhost.exe
          C:\Users\Admin\blhost.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1700
          • C:\Users\Admin\blhost.exe
            blhost.exe
            4⤵
            • Executes dropped EXE
            • Maps connected drives based on registry
            • Suspicious behavior: EnumeratesProcesses
            PID:2284
        • C:\Users\Admin\clhost.exe
          C:\Users\Admin\clhost.exe
          3⤵
          • Modifies security service
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1540
          • C:\Users\Admin\clhost.exe
            C:\Users\Admin\clhost.exe startC:\Users\Admin\AppData\Roaming\DBFBB\93024.exe%C:\Users\Admin\AppData\Roaming\DBFBB
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1644
          • C:\Users\Admin\clhost.exe
            C:\Users\Admin\clhost.exe startC:\Program Files (x86)\BB655\lvvm.exe%C:\Program Files (x86)\BB655
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1940
          • C:\Program Files (x86)\LP\24FD\9B94.tmp
            "C:\Program Files (x86)\LP\24FD\9B94.tmp"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:2872
        • C:\Users\Admin\dlhost.exe
          C:\Users\Admin\dlhost.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1964
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1652
        • C:\Users\Admin\elhost.exe
          C:\Users\Admin\elhost.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1648
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
          3⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:2240
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2868
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2132
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2616
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x5c8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1324

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\DBFBB\B655.BFB

      Filesize

      300B

      MD5

      992085599b6f2e8fdd1c595bbdfb9e76

      SHA1

      f8a68c08c204addcfd674b69781888b3f2fecf6b

      SHA256

      a10ab7e20b8cb90e4f4b356596cc1d35a2277717ee6e370d264710b6185564f8

      SHA512

      26b906694c5291087ce1aa1d7383f6c87b02c6aff13f31246af5a694a65e88a59b3116e516db41be8d85532d5c5a4093ba3a07c60ceb92a7545f4a1869d7c99f

    • C:\Users\Admin\AppData\Roaming\DBFBB\B655.BFB

      Filesize

      600B

      MD5

      84e44940961fb664eaae76599d6b9fe5

      SHA1

      11ecfa6879c0b317803894e32dfbef6722d242be

      SHA256

      1aae3a6a39174006c476e8743cdc7ab1cf6d4f14fe4e43fe5f07e40af4532b72

      SHA512

      469168afe750226d0c99ac6f1ac7b71368ce4c2cf892c35bdd64df07c0a25970abe5b221ac355d845f573312064c28d1b409792cec044935100ea86f0cc1266c

    • C:\Users\Admin\AppData\Roaming\DBFBB\B655.BFB

      Filesize

      996B

      MD5

      e501d6c27ac0e6049f13ec9a21195196

      SHA1

      1353d83b369cd0074b115e6197dff6fb0311ccef

      SHA256

      4f75f7642a6e927f1e48f0ec1a1d11cf10d0a32732ea76817a6f335c93f180f9

      SHA512

      151ca00bc7f80ab4a7c142b504379c853754e23194bcbaac4b1d385c5786ac353af0a40fc1ca6038206ed752d7ad6867d963892e64349b8dcdb7c543b817fdb9

    • C:\Users\Admin\AppData\Roaming\DBFBB\B655.BFB

      Filesize

      1KB

      MD5

      12efb599d1936b8ab59e7ebbf6364607

      SHA1

      e211c93aad0bee50e85159a2b1053bb4dd0e6e5c

      SHA256

      7e9b442f1593d5d530c54da653183ed8b927c0f47ffb3b44fe6d200fc0a48d7c

      SHA512

      c444f6dc523e6af36c0cad9151f996493768a33af292166d617afbdf10525985e5d38a73324c4decdc49828e8e063e81dce1e72004adbefd394f79b0f44f8110

    • C:\Windows\system32\consrv.dll

      Filesize

      53KB

      MD5

      63e99b675a1337db6d8430195ea3efd2

      SHA1

      1baead2bf8f433dc82f9b2c03fd65ce697a92155

      SHA256

      6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9

      SHA512

      f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

    • \??\globalroot\systemroot\assembly\temp\@

      Filesize

      2KB

      MD5

      0013230658af51d60ff4984d15218414

      SHA1

      ff367e5e7b513c07f600855be6222b596674c7b0

      SHA256

      503dafc38a8b5a36550322c3e05d806ab4cff989a689f2ab9415d6c089818488

      SHA512

      17a0c9a2db5071be187cc1beef3d03ea0013230b2b2b4e80d96c4ae15b57220ee24dbaf5530f79a9676ccdaf55db8d51aeedf7fba91bfbbcba794b7c707114ba

    • \Program Files (x86)\LP\24FD\9B94.tmp

      Filesize

      99KB

      MD5

      0f322aa9f0ab8f4d2ac9dc7c1f67789b

      SHA1

      bd0abad1aa3edd06bd176282c9ec3fa528ccf5f8

      SHA256

      b788fc4b83fc9e83f3dd7a14e25c251434f5a3389750e380ea32a93662525863

      SHA512

      736af7f378d4f05576010d4cd732ea02dd7e31999cd8e4ad7037686623a0a7a7a45e0376024327943e8a5ba9d090a1f4b2a6e7bc4366b05631abf371070cc6c9

    • \Users\Admin\alhost.exe

      Filesize

      236KB

      MD5

      ccee7bbbd52e9e3d551451e54f85489a

      SHA1

      7f72be25a00d4e667f17fa106bf024fac3eb9886

      SHA256

      24d5bac9c9a2d7e77dc8f79ad7fe3333283028dbec964effd9020dd6473e3290

      SHA512

      3e2fd0abfc61741698570a600aa4f845503410bc9bef9906dced2df27e5f38c7bb06eefb653a0e199eec88044725e2c0f0238253c73979fcceecb992e3b73af4

    • \Users\Admin\blhost.exe

      Filesize

      126KB

      MD5

      f9482a349a998f5c9cb842705e67fea7

      SHA1

      196794ddf71cab834c7029dbf1c27009b06754b2

      SHA256

      9e5b1531710c57fad4e07c5888db6823e6634384a5ebe9d7f40b54cb9a163b44

      SHA512

      71ced1fbd460b833d1f422a80d5a27a893e18f7a6286cb61b1283a2c843f8fc77a68b30cba33fe988063f5db3893cb7fd8f677e023960b1999386c18389c9536

    • \Users\Admin\clhost.exe

      Filesize

      283KB

      MD5

      78b038f42b4e2490672f9a35a42674b5

      SHA1

      ca8972f311b9dab6aa917b65cfb9726447fb44f8

      SHA256

      99125e2bff877025e5687aa5928061cc7da65a944afcd81a66f556bf5d48730d

      SHA512

      13826dd7b9b1de6b08189c814487fcf6dd369059be8f70d5ba7ef6e9339a56be6f04a424e11238cc49a932e7d2988630c102109a861cb4adb5382f9e883ae515

    • \Users\Admin\dlhost.exe

      Filesize

      244KB

      MD5

      682907092bb50419e5b28cf99466e124

      SHA1

      622962a69e71cf4192f860be74249be205e9ce13

      SHA256

      9e08b47ad6498e8f7173eb8a9e2ce2c4aaa36d0c69cfb3365ba76938d037f98e

      SHA512

      cced9e3ec516c2e07182ecf012749b9b123bd70d6204d5f82afa4c0a8a8f110da8690c816e7c8d97f9a283e8e4961fbe0afa60badd4b57d21a8decfa1b527799

    • \Users\Admin\elhost.exe

      Filesize

      32KB

      MD5

      00a9df0a178efb6f4f44aa392186c492

      SHA1

      d3c3039ca41481525815bca5301d9d00f5725667

      SHA256

      c505d1c76b1e886de65c6b7b171a9d56870a320532c7561f7f8b162920602b18

      SHA512

      ae0cbce9119ec561a8084610a42f30f60ed29d6bde908dedb7394dbcd8cd24456c85a543b72aa797705130ccce851a348a5171baf1c8a2499ad599b345283a3f

    • \Users\Admin\kajek.exe

      Filesize

      192KB

      MD5

      deeffbdcdc44dbab312004f79b6e6be8

      SHA1

      8470ec1b600803bbe98e9194f2daf36de1fa13ac

      SHA256

      57f510fa7396e0f3f3c1a0b6603a714c7d31d5c65baca3f9d09937ec34e90fe9

      SHA512

      3fe33f9d81c22d48b8425fb2c94029f3f530337f2a60ebab8279c427b5c67b46f1e138a735032f65ae0c6ff1c6a824f29a2bd7aa2aeac2c076aab6942e2b8e9c

    • \Users\Admin\miGRu6Gcu2.exe

      Filesize

      192KB

      MD5

      869d4fbc9194f74e9815f487d245fcff

      SHA1

      66ac3d8d447558f6389e3a8e203c1b60634af873

      SHA256

      b7bc5a05d5190e33bcf35bc06107881990caf3fd99643c50eb855ca8505d7113

      SHA512

      57700b710c9c42ed07f1959c7a17d592a5bfafadb340eaec33d769a788cb5b84de7d84b4ff5b865df9fedd966d7dc8b5a2534811e1de52f488a31a5548d4d6ce

    • \Windows\assembly\GAC_32\Desktop.ini

      Filesize

      4KB

      MD5

      758f90d425814ea5a1d2694e44e7e295

      SHA1

      64d61731255ef2c3060868f92f6b81b4c9b5fe29

      SHA256

      896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433

      SHA512

      11858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9

    • memory/1160-6-0x0000000000400000-0x000000000051D000-memory.dmp

      Filesize

      1.1MB

    • memory/1160-4-0x0000000000400000-0x000000000051D000-memory.dmp

      Filesize

      1.1MB

    • memory/1160-15-0x0000000000400000-0x000000000051D000-memory.dmp

      Filesize

      1.1MB

    • memory/1160-13-0x0000000000400000-0x000000000051D000-memory.dmp

      Filesize

      1.1MB

    • memory/1160-2-0x0000000000400000-0x000000000051D000-memory.dmp

      Filesize

      1.1MB

    • memory/1160-398-0x0000000000400000-0x000000000051D000-memory.dmp

      Filesize

      1.1MB

    • memory/1160-51-0x0000000000400000-0x000000000051D000-memory.dmp

      Filesize

      1.1MB

    • memory/1160-12-0x0000000000400000-0x000000000051D000-memory.dmp

      Filesize

      1.1MB

    • memory/1160-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/1160-0-0x0000000000400000-0x000000000051D000-memory.dmp

      Filesize

      1.1MB

    • memory/1540-118-0x0000000000400000-0x000000000046A000-memory.dmp

      Filesize

      424KB

    • memory/1644-159-0x0000000000400000-0x000000000046A000-memory.dmp

      Filesize

      424KB

    • memory/1700-92-0x0000000000400000-0x0000000000418000-memory.dmp

      Filesize

      96KB

    • memory/1720-64-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/1720-68-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/1720-70-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/1720-105-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/1720-54-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/1720-56-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/1720-58-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/1720-61-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/1964-160-0x00000000003B0000-0x00000000003ED000-memory.dmp

      Filesize

      244KB

    • memory/1964-166-0x00000000003B0000-0x00000000003ED000-memory.dmp

      Filesize

      244KB

    • memory/1964-167-0x00000000003B0000-0x00000000003ED000-memory.dmp

      Filesize

      244KB

    • memory/1964-163-0x00000000003B0000-0x00000000003ED000-memory.dmp

      Filesize

      244KB

    • memory/2252-10-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/2284-82-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

    • memory/2284-84-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

    • memory/2284-86-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

    • memory/2284-95-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

    • memory/2284-96-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

    • memory/2284-97-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

    • memory/2284-90-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

    • memory/2616-72-0x0000000000400000-0x0000000000418000-memory.dmp

      Filesize

      96KB