Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/09/2024, 06:39

General

  • Target

    e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe

  • Size

    11.4MB

  • MD5

    e1e8346ff1d31ae330cb44c91541cd5a

  • SHA1

    6c798b54cc3d1291f0b8295e9283d4a0475876ad

  • SHA256

    0f11eb03b72c4111f98ddbde874a09707e663ed3b420b0faa23e66042f37fceb

  • SHA512

    ea915a3a2ae8bae8b306208dc26bd4fea480730b0f6070638f8457a6badb954192ea7ec7ed23c21d40359e423bdf3acc15c28dc531b62ca1ad5fc81ab705111f

  • SSDEEP

    196608:UTwx42RPPBdebEm1iWWHc1SUX6apg3ZhncrJPm59vzgO8L1vsqFRUo7t/IbsCTMs:UaRPiGWW8sUtu/Am5q91vsqFRn5AACTN

Malware Config

Signatures

  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 17 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Checks system information in the registry 2 TTPs 1 IoCs

    System information is often read in order to detect sandboxing environments.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Users\Admin\AppData\Local\Temp\F0A6.tmp
      "C:\Users\Admin\AppData\Local\Temp\F0A6.tmp"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Users\Admin\AppData\Local\Temp\F3D1.tmp
        "C:\Users\Admin\AppData\Local\Temp\F3D1.tmp"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Writes to the Master Boot Record (MBR)
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Users\Admin\AppData\Local\Temp\F3D1.tmp
          "C:\Users\Admin\AppData\Local\Temp\F3D1.tmp" /test
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2884
        • C:\Users\Admin\AppData\Local\Temp\F3D1.tmp
          "C:\Users\Admin\AppData\Local\Temp\F3D1.tmp" /restart /util
          4⤵
          • Enumerates VirtualBox registry keys
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Looks for VirtualBox Guest Additions in registry
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks system information in the registry
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1632
      • C:\Users\Admin\AppData\Local\Temp\F3D2.tmp
        "C:\Users\Admin\AppData\Local\Temp\F3D2.tmp" "install"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2832
  • C:\Users\Admin\AppData\Local\Temp\F3D2.tmp
    "C:\Users\Admin\AppData\Local\Temp\F3D2.tmp" run
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Чистилка\Чистилка Uninstall.lnk

    Filesize

    1KB

    MD5

    b6207ec3c5c5dd09e107e32323fa6aef

    SHA1

    4b4b2176ef992ca0289448f3d254c7147ee1f5ad

    SHA256

    90c5abf3cf668d6518d65a58a2bc5a33b5458802ac355e8579381253305c26d8

    SHA512

    4fa52bac3f1aad33f531dae44c0afca91be4b4b2d259e7d9be6b74832735271c5e1608260d608f8ccc788497c666a52e214a44b960d9bd7c0943aaf63454b102

  • C:\ProgramData\Чистилка\config.dat

    Filesize

    476KB

    MD5

    bb094f254599a26547a3484e35a29482

    SHA1

    8b618de226450871b02e7788a5673512157db5ce

    SHA256

    f845f1859bea42f1d9c6205344eb557296042296745cb8f7e0adbe9d652928f7

    SHA512

    4b1d9c01847293aa99d0fa585788efdd4fb053461a4ce8ea1a20ace661a9bccba6a2265eeb7f06cc552941a530981b883bb6079131c8787a7427fc966fec06e1

  • C:\ProgramData\Чистилка\settings.json

    Filesize

    445B

    MD5

    d5180d4557b08cd31ed9758722bea039

    SHA1

    8d699db057625d887fb465edaea8af08f9c62255

    SHA256

    a8a5db6a3b541cd704d8c4aceeeaa16b147d0cbcfd8c97e59d434d1c0522b1f7

    SHA512

    11439f5d492729d662576dfbfeaa7c7e5a7d796271442b31e928b27e305f81b761d0f1c0cb85bb2e0f91cb8dbce1456a687559584b5eb1db0403cb3382f02cef

  • C:\Users\Admin\AppData\Local\Temp\F3D1.tmp

    Filesize

    5.9MB

    MD5

    d7ebb78bf1f0e4a8278b2d63013b1134

    SHA1

    498b315dcba9bf4403d6748be61453d5d8991b61

    SHA256

    c5a685088c44b1fbd01f49587af753b6a0f8f793de8d3b3d7e170574fef27ba8

    SHA512

    ead20a19b5262ce34f13bae9c9d1082ce5bf740759ea82042d83600094e38de7aea87d7533fdd7660369ec5bb8549e107aff562fa477711515eb9c15c9c93312

  • C:\Users\Admin\AppData\Local\Temp\clnF7A9.tmp

    Filesize

    49KB

    MD5

    abee4387ab69da821ed9397cc651597d

    SHA1

    5d14f4afdbe15448bf884b528ffffab874f920a7

    SHA256

    ac1dfd38d2fa61e28211e196cd3d754f6ccfb220e8c1beba52e54825cf615e22

    SHA512

    e014294cb60b66bd259f4a6ce262fc9eca30a30e7674dae178dbac6132ba464120e5d1076ee81c1210a2f42f819d94373733172cef9fda77c9effb4eed53a904

  • C:\Users\Public\Desktop\Чистилка.lnk

    Filesize

    1KB

    MD5

    0e52a20612b76b36bea4993f84153850

    SHA1

    875134557ab36c302533e4a8f0463461417c38e6

    SHA256

    73e63183921f2b265bb796c701b113a6673f6601c450f4a2615356000617bc03

    SHA512

    2a188dce3bbf502bb4b0bc2e136eef8a5db119e73352bdfafe990909db2b9233d5d22bf89754c872cf6ef11e230755d969a58372cfee57d0f4981cc2f1b0193a

  • C:\Windows\Fonts\pns.ttf

    Filesize

    127KB

    MD5

    df8c626474a73ab7a8b511655597c7c4

    SHA1

    5de28f387ea88553d195d1978286d43c33231969

    SHA256

    723091ba5a1b8e65164075516d69c00c71225c6dde61ffc32dd4047803ab42b5

    SHA512

    c8f7d1577cb70610c40b96c835faca6b916c4924b5061351c8a67287567556b2014efb7c73cdcc4fb6533829541cd0264b8a9e428d3c572e29c06b0d96633d59

  • \Users\Admin\AppData\Local\Temp\F0A6.tmp

    Filesize

    11.0MB

    MD5

    60647b7c7b5645fd43bfaee784becd67

    SHA1

    efb89b51296c016fd482f20bfe68895644caab18

    SHA256

    45909a961618e850f0a737995c2d71760453abc9040e72965fe1816dc15cc390

    SHA512

    a384cf75dd29e7b2c89d00632447cd4726f875a6a8b91ee8bc31bbccb77bffed120fc96e4898491bacbb62f1141ab93c41d7fecfce3771c6a28d6ac3a43a03a1

  • \Users\Admin\AppData\Local\Temp\F3D1.tmp

    Filesize

    10.3MB

    MD5

    9cff02c5ee349922b08481ef0e786401

    SHA1

    a5c90378fe2581f8a69a7d6f11b8283d452562ab

    SHA256

    df8aa536fac28254bec6f2083337d0a0f1e10e132f35c119eedb925b02792474

    SHA512

    979484f010481d69cc8ad89ec183baeae4fa63414e0896a36c043ebad374780debcbe591b9342c764c089b400237d52a3d94658e6f72c9fee99476aee0daaf87

  • \Users\Admin\AppData\Local\Temp\F3D2.tmp

    Filesize

    324KB

    MD5

    bf9f6045d47dd87ae6d41fc7b5485506

    SHA1

    462184bdd3c143f70ff7e9553966cb3d63b7cd12

    SHA256

    f4cc03a26f2d13a41a86da8629b5d5c80a9ea586b6ba044e952b1972ab013440

    SHA512

    bce57892b7cc2f44dae9eed0113530775f64e16d2846e6f08b10d76b9829e0885a94d816bf84d20ee5751ae3d3c536b6a9e6a75b4f95197d6317b032a839b605

  • \Users\Admin\AppData\Local\Temp\sciter.dll

    Filesize

    5.0MB

    MD5

    9d23e2946b37a886dd9b5ce146cdd280

    SHA1

    ac82352e5ef3988dd53403a9552bf9c4bc5162d3

    SHA256

    9fabfffee8ef815f6e0f34c8909597ddf360ebff061151f18365202b774ceb20

    SHA512

    872951f7ed72422e05e5957ab7bd274fdae2fba465b3177bba4b0dd1f1c7b047d7684977f7ad51fa79dd98b30b30dc6e52eac424798c31ae0e0fe31961b682a5

  • memory/2808-84-0x00000000008F0000-0x000000000133F000-memory.dmp

    Filesize

    10.3MB