Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

e1e2a51f4b...18.exe

windows7-x64

10

e1e2a51f4b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/09/2024, 06:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    e1e2a51f4bed9b584bccb521b199bac8

  • SHA1

    6e78985940248bf47418ea617a406502b7d58be1

  • SHA256

    82a9956c3cdc8007b2d8c4b3ce009501df7f6089b8d8efe7df19bca4d176bfa9

  • SHA512

    decac079fc0743936c244d91126fde8eeed721ef394253e928285274e8b8b03e04df35f1e0669f2e34b86696d87d6afe4eccba662f4a14dde579ebdaa57a8c09

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6M:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5N

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3892
    • C:\Windows\SysWOW64\qwjhzkqyzg.exe
      qwjhzkqyzg.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Windows\SysWOW64\tbgkhqzx.exe
        C:\Windows\system32\tbgkhqzx.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2148
    • C:\Windows\SysWOW64\nlvrbdhjuqrjzhv.exe
      nlvrbdhjuqrjzhv.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3432
    • C:\Windows\SysWOW64\tbgkhqzx.exe
      tbgkhqzx.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4692
    • C:\Windows\SysWOW64\mlljmzrddqcrb.exe
      mlljmzrddqcrb.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1648
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

6
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    d04501e189da768a78efc56139a365fb

    SHA1

    b706471b893f7838d01369d69dfe0438833309a9

    SHA256

    99b5276c1fbb3bba4fd143497b1ff7d254354fa83e30e8e6f49b00d7296acbe1

    SHA512

    469159154fec4e657ea244f770eaa6e493b8a9d8dde90ee2f3efc91c51b286851ec129fe5da9884d5232b2a37744f8fc572075964521ce8b25d1332a7c6bf016

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    d337e6850ad370df06c547f7739b461b

    SHA1

    ad777c21b68362fe91465904d96f750abc50c3f6

    SHA256

    c1c57bddf00d4c6109d234016aef357153f46d86558eb162557c9fa622b87ebd

    SHA512

    1ae959d1c584b20568a0fa0eaf933e0cec69ee016f1e5b7b2fde192547afc74bf62cd190e8300d675999f3f5259bce703d8c052f9810b626d6921309db37762a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCDAB02.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    237B

    MD5

    98f405bdd83704bea522267650c8baca

    SHA1

    35457a08ed810fbd2ee4b7b57cb06e4e2983c6ff

    SHA256

    3e2ec4bd749637305f314f6614ceb4875d36dd088ad2563749e80e5b85eebe9b

    SHA512

    f89a4aa23d959bc7203c0ad51a7b12435d0989c5d0d6e50fa614a72e8ccacfd46d9acc78aa892fff3ec3c207c9ac8b7a6a0e364e6b2ad7bae0ccec7cb893cb9f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
    Filesize

    16B

    MD5

    d29962abc88624befc0135579ae485ec

    SHA1

    e40a6458296ec6a2427bcb280572d023a9862b31

    SHA256

    a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

    SHA512

    4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    674B

    MD5

    07d17060b3ae173acc7723025a2b4c20

    SHA1

    f9f6adbf4a2c4e3dd7fff645f855349688f4af62

    SHA256

    5afd33a5655308233bfe55803584448ba8ae854800a1e9eff3d9ab037b4f7e34

    SHA512

    170d56823d3fd121a024ac9e7ba3e647ad192def9faedfaf8619bf6c0ecff26e6024a5f89a23f69d3acab13305dac6603b940b744559b9f484115e14ed75a153

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    1KB

    MD5

    a74d8896925c6c7a432424ff3b0f99fa

    SHA1

    4d21b44ccb7e37a11a98e85295fd6422bacd5a01

    SHA256

    55f059787d93a5e9eeb2fb80dcf81967e420afdbf86248e51b11c3959d6bc38d

    SHA512

    d7a73aaf252bba819de3ad885266dccc652f1f1cfc701ac082940983eba65a2ac852168bd5161a85997b58730b7c7d23d2cd38a1f5bfaa5214f72ecc01fc3c4e

    Download Submit

  • C:\Users\Admin\Desktop\CheckpointPublish.doc.exe
    Filesize

    512KB

    MD5

    a9a2f0199009ba3943d4bbba537e574c

    SHA1

    17870bea50a4cae7aad3e142ab3c259458fa2f14

    SHA256

    f792753c1f0722523fbeb711d0254ca411d1a5a80818508460f8d486f3d15ca7

    SHA512

    b952cae321341a61a89126113cbf67b6ef5c89e9b2f2a22371a77637dd9444c1838b4d5f581c938652e8e26788de9cf2af24df219e26b6edecea7ff8c51d0e17

    Download Submit

  • C:\Windows\SysWOW64\mlljmzrddqcrb.exe
    Filesize

    512KB

    MD5

    ef6cfe3bf3b79667215fd25a2520e5f7

    SHA1

    ebf8ce3720ce80730940414d9afd6d3726f48819

    SHA256

    e4ac2c75131de4d47b12f60c6807d580ca565354ea410128940234fb6b4b2c67

    SHA512

    7cbe083b4654f3df1a421b897bbc2fff718e98ae64c2978df797bdeda1c1ad6e4ed23d56313b5b479ef22cd523676b4f74f4ccc27437a40ef39a938db2df7e13

    Download Submit

  • C:\Windows\SysWOW64\nlvrbdhjuqrjzhv.exe
    Filesize

    512KB

    MD5

    892b18cbcdc009986f531fce849e15ad

    SHA1

    ff8e453802dea129c71fff04acc1ea5140ea64a5

    SHA256

    ab12306ead29893aa5de3fcce8f6ada2aa8490d28963a867db2f2bec5bdcae5e

    SHA512

    c0e497e97e83c5841265da5d8c778d65e663fdc6af63fafeca3680e7bf5d1c184610a2317a6f2511b116104e01b5abb04da8197637ae0f0bc5934a84d2abe73e

    Download Submit

  • C:\Windows\SysWOW64\qwjhzkqyzg.exe
    Filesize

    512KB

    MD5

    42a8f1b3325524b20b5442be02a06df0

    SHA1

    9eed8c6b62e701745d689578a2d9dbf2aafd47c3

    SHA256

    04c4615e98a048051940762281d9c4d2c1a5fe0033bb1c5e4e67623f540b63cc

    SHA512

    ea18282617d09bdf92cb6d54469c4b8d690d521eb6951acaa967151a406d39a87629e61cc6a1ee37c795be7595ff7402b605225567c1b53961e6b40e4868641c

    Download Submit

  • C:\Windows\SysWOW64\tbgkhqzx.exe
    Filesize

    512KB

    MD5

    e51baaa7cd035172f1ae4e3e328212a1

    SHA1

    c92ce75ed89013199b325b270d894149dfad07c8

    SHA256

    e66d12b69c2a304cae79b7aa07e2d4c82c350b7c3fe5ba7f5e8edf2f848ee49e

    SHA512

    0d1591eb6abd8ffe63a7c5aabbd49dd8875fe52b65d8e37c1c330fae7b2887563dc475428c56a594c7bee1deea7059f687a060001aeecab9da0aa6de117a2876

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    ea7957ad34afdcb8804f7068b132783e

    SHA1

    3c723bb02b2bee0488e54688957d25a8632c7156

    SHA256

    996bb53b91a0a874f4f8afe07c6b39176c33072da0c4d1b8268cf630b51e3324

    SHA512

    28b1deb325246c5cb24e9d31dec2697e817aeb6c1ba1fab55c8c5b2b83a962dbfa30b3a74951a93a64e50b660812bd7bb2569198fcd42e15e5990a4db0d72368

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    c58acfd12386943f5e5a48cc47fa5f2e

    SHA1

    68e02a5034e94c6835ce571b02c4993555bd370f

    SHA256

    eb76a7cd5d48d2179ed229453c09ff45ebee6db711a8872380364dc1d931f610

    SHA512

    1421432f7890340bb5de085ebb5a6936335a74e5fffbcaf629a9c5c254d72f58b253df34d7d57e4dc03cc4ab996e5bbf353a2d445466cdc9ca1fb37d082ba199

    Download Submit

  • memory/3892-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/5040-37-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5040-38-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5040-36-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5040-39-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5040-42-0x00007FFD59E10000-0x00007FFD59E20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5040-43-0x00007FFD59E10000-0x00007FFD59E20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5040-35-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5040-609-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5040-612-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5040-610-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5040-611-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

    Filesize

    64KB

    Download