Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 05:46

General

  • Target

    eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe

  • Size

    192KB

  • MD5

    eab2950521e2e17f90c87bcb847cd3bd

  • SHA1

    a2568f39a3c05d4f720ac39cc71dd4cffec13f34

  • SHA256

    7e502264237f15a7caf41517a953083b8394e7c1550d64af01a94bae5d25117a

  • SHA512

    94d704cf15e080f7c8851ee2a7dc6d114af67bdd15556333e71b838bf2b34ebabd3138f4855450cceae2a72b6bdd7e9216628011d63c1497a8d2cf8352117028

  • SSDEEP

    6144:LnXWx4wSizY9r4BlDqFVhbdfq351C2lF/cQ:LnXWKwSCkcBlOF3b1t2L

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Windows security modification 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 35 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2752
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:2836
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    PID:2696
  • C:\Windows\system32\dllhost.exe
    C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
    1⤵
    • Drops file in Windows directory
    PID:2564
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2468
  • C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2148
  • C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\SearchIndexer.exe /Embedding
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Windows\system32\SearchProtocolHost.exe
      "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-457978338-2990298471-2379561640-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-457978338-2990298471-2379561640-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:2192
    • C:\Windows\system32\SearchFilterHost.exe
      "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
      2⤵
        PID:2776
      • C:\Windows\system32\SearchFilterHost.exe
        "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
        2⤵
          PID:2672

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

        Filesize

        284KB

        MD5

        e439430997faf032bb90db4cb3cfb85d

        SHA1

        f5faec3b5a9b6a72e3434ed146fe1cf6fbf692a8

        SHA256

        d15fafd0644267bcef470fe5eb5b87aac659560e973ed4843881b06f644afddb

        SHA512

        98f9d641157b47abf6a5046488da7c77a4a80875265267bd18395926ff167635c24a0c73e8979e9614a2b28a6126bafbc5364c9da43b6a242b9e7133c380801c

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

        Filesize

        1.2MB

        MD5

        8174bc516ba6943da8e0f2daec453f27

        SHA1

        414db3d2b6875d529a290517033fbf8002a4b319

        SHA256

        f4a842742e5554defbac5cefa75c8d8313191d0ec0b7d6a3ddeb7a1dfbb1364a

        SHA512

        a9b0a6951aa76a1cc37b470a9089237652e2c1c6f6dc9aa0200f1356e2653b0a216bc3082c14659be59657323ee890ae92338129837add13dc12e0bbdbafcb96

      • C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

        Filesize

        284KB

        MD5

        a144fa37a976c46c0e9b1c469be40730

        SHA1

        658dff7b692b81cca65e29043a2836ee0b406c79

        SHA256

        ad90010304f212dcd7b5970edf549a48658b7c955042d469cf5bb4c323511b39

        SHA512

        e635255f805ef20b525729118ade4ea82559d025fc99d745bf3d469151cc11805deb47a6d5e4fb4a0d06a7491573a4106d077480de6f451d7fe30b000e57b0fc

      • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

        Filesize

        1024KB

        MD5

        1b2f65afbda6cbfebea33fef7eb74abb

        SHA1

        ca561f4001ce8b1835eadc70df9a45a5395fa341

        SHA256

        609818d66d5b0fa4eaae604d6a0821db0b1bc7736e8428bf175bdf3dec91dbc2

        SHA512

        e56299ef6da60466c54b5a4a85b5d46997b321de2d222f0ec24393f6fac20c0c900d1d68e644401e293180f38f3e88ac1169e218fcee92493849f23405dd85aa

      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

        Filesize

        203KB

        MD5

        d5ebf38ee4bf5f3c6c83bee301d74694

        SHA1

        f845e78ada48e265e2eb2957043511668797fdc1

        SHA256

        0f2a9693509766c31adc09c8bdfabc214c90307ebef1c7a10d99953c90f9e6fa

        SHA512

        e8882fedb7633f591f7f557675ddedd61ec5325661bdd56109e8223dec095b96cd5cca461f72fe4ff287e2553891cce6b10f75fcaad76a3cdb3d0befb2178157

      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

        Filesize

        1003KB

        MD5

        9810c8c671df75d086440c2422e8d23b

        SHA1

        752b44716a6db0bd12c3b21942d823115eea7869

        SHA256

        1aacfd956b689f3ad101b48609ac3b66197d9a6996755653b315bfd792f22e51

        SHA512

        006c9a0f3d579686800f41ddce3125c58d6d5765bef08daea15804b128f8669715a9fb1eccbfb640e01d2ef91a39fa53a61ab7cf3c68035089d6a20a8320debd

      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

        Filesize

        234KB

        MD5

        2dfade6b1cd6ffce496c5dc2394ae41b

        SHA1

        d6663ccdbf351c47b9ce66d34d9a07b2203480ec

        SHA256

        2ba09e29d9adf084a232fd5d24d09a7196a88a214106826762b8247c85e04f73

        SHA512

        8d33a3b88cf92065f01b5777885fb65bdc41f2217b7ccd60523f4408738a6bcae17332d4c7185d4defd3618bf4fc868b296d1e0d9ae04c80464aac3bb8d3922b

      • \??\c:\program files (x86)\microsoft office\office14\groove.exe

        Filesize

        29.7MB

        MD5

        42293d6f2af3d8ffc3d60bce17030317

        SHA1

        ce4ad9207b8ebc3c3c99eaded02cc2f3dda2111e

        SHA256

        52c4d776ed740c469692be5b786bb83b4e6a07dfb7b559d7a8e7454d9c60e8a6

        SHA512

        3a6320d27b70f4efad31a24d12c322f610aa0303b318ff29ee7dfd716e9aa2541923addcd6184997c2559b73303a4ab1ad5651c71014c2fe7571051c0b978454

      • \??\c:\windows\SysWOW64\svchost.exe

        Filesize

        164KB

        MD5

        65fe15d5c6f5a574010c81102be1594c

        SHA1

        7fec835637ba1a1258fdacb7c1914687a892525b

        SHA256

        0c3a09635d73c83668ad07433d3456255ac5f5bf7a105346dfd169422f4ac1f0

        SHA512

        18bb1883db8d88eb95189c950d46889f97dee5c7139d0c0a9510e314f8637384636944c1812019dc8073aeea68cbc8ca23344557ba5415b4f02696b14751798d

      • memory/2148-139-0x000000002E000000-0x000000002E086000-memory.dmp

        Filesize

        536KB

      • memory/2148-44-0x000000002E000000-0x000000002E086000-memory.dmp

        Filesize

        536KB

      • memory/2696-24-0x0000000000400000-0x0000000000479000-memory.dmp

        Filesize

        484KB

      • memory/2720-49-0x00000000029D0000-0x00000000029E0000-memory.dmp

        Filesize

        64KB

      • memory/2720-88-0x0000000003E70000-0x0000000003E78000-memory.dmp

        Filesize

        32KB

      • memory/2720-94-0x0000000003F10000-0x0000000003F11000-memory.dmp

        Filesize

        4KB

      • memory/2720-100-0x0000000003E70000-0x0000000003E78000-memory.dmp

        Filesize

        32KB

      • memory/2720-102-0x0000000003E20000-0x0000000003E21000-memory.dmp

        Filesize

        4KB

      • memory/2720-111-0x0000000003ED0000-0x0000000003ED8000-memory.dmp

        Filesize

        32KB

      • memory/2720-65-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

        Filesize

        64KB

      • memory/2752-0-0x0000000000400000-0x000000000046F000-memory.dmp

        Filesize

        444KB

      • memory/2752-2-0x0000000000400000-0x000000000046F000-memory.dmp

        Filesize

        444KB

      • memory/2752-1-0x0000000000401000-0x0000000000402000-memory.dmp

        Filesize

        4KB

      • memory/2836-30-0x0000000010000000-0x0000000010070000-memory.dmp

        Filesize

        448KB

      • memory/2836-13-0x0000000010000000-0x0000000010070000-memory.dmp

        Filesize

        448KB