Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

f08b703cc1...18.exe

windows7-x64

10

f08b703cc1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 20:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f08b703cc1d852279362e7b5ad25d22a_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    f08b703cc1d852279362e7b5ad25d22a

  • SHA1

    f1efa9ba25da90274ff8a08a7f062e6e04b1d719

  • SHA256

    f7f02312b7607fcdeace47c2cb46a57e3f280e44b33ceafde3b6e23340ddfff6

  • SHA512

    f78de3375c9913f0e3645099a30a62b213290547877881d6a4ba6e4a10766026e0791ae2bb5cc33a1e2ef0b1d96760ebf595cc667809b41faeb00e8dc0dfc87f

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6h:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5a

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f08b703cc1d852279362e7b5ad25d22a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f08b703cc1d852279362e7b5ad25d22a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Windows\SysWOW64\zuiklcdgsl.exe
      zuiklcdgsl.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\SysWOW64\uwqqpctm.exe
        C:\Windows\system32\uwqqpctm.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1336
    • C:\Windows\SysWOW64\datngwpmqworrtq.exe
      datngwpmqworrtq.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4680
    • C:\Windows\SysWOW64\uwqqpctm.exe
      uwqqpctm.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4824
    • C:\Windows\SysWOW64\kfffmpuvcvvaj.exe
      kfffmpuvcvvaj.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3820
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

6
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    9fddd74b1728eee235cd86c7892ba33e

    SHA1

    79ddd82fdff03c059ffba3a62ea6a51d0c130476

    SHA256

    3446878d9511e1bec99e5ef51210676fe45a47d9708e9c72c86e9b5769afb411

    SHA512

    f6f0ffe5b794eaae890977a2b250e89885c28b7e0ab9a6fdca955514f5c70783ccf58e3fbd24d19c324eb23779eeacba85095f76f19c965e2ad17d6fe3a6ecd1

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    c1012365493b5c568bf555a32729f14c

    SHA1

    97a7dc538d3229e8a60d31e3357dfa806dc11c09

    SHA256

    aec7993014dc90a98ac82d7fbfefa83a7f9c86731f6d3a13c0081ab2ca56d168

    SHA512

    1eaaca032f8fa935c0f5e2425d08d18ff13c01d088a9b8e43a77a010a60ea549855bf4afe7a63a95df5ecb0ce76eb77d154d54555fd531fa200feafbc2aa9f75

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCDC75F.tmp\iso690.xsl
    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    332B

    MD5

    131461af2646bef83ccb49b20f30252c

    SHA1

    2379935a84f22942adb1da8c21b352c6fdb7bea6

    SHA256

    9b19f22d4284133a526d221cc82008bfc56d0e8ae80dfda579c6e1488feb1bab

    SHA512

    68ef7e2be6cc6a215550fbd2c9286e8150ebc33f6be1d113234ad739c0c5280589bfc287168f1696e352095b3488a10dd599b380238ac2033fbc17f230d86e78

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    1KB

    MD5

    7b11431833b02d8792c12b2e3aa373d7

    SHA1

    9e4f532bcce9d0397ede28ba22e169f217b8fa87

    SHA256

    c3eea93ba899c4ff279de8bce34a0e26bab3a757a6f54646f22079535a846dbd

    SHA512

    142caf4eb1297fcf932a0a43f24b7926c800f8d7bff2b79320cdc676a15052f3520b842311b8a158552ac177fc703cb0c4704b7a59cbdde7d1bd187a0f8601db

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    1KB

    MD5

    a145734c6383c306b7bc9fc19a8b2190

    SHA1

    dd119cc9aa0df679669639d82217ff88369467f1

    SHA256

    1ffbe6f56cfd6a2538501c9238d143ab9611da8279b17097f6a1521ca48451b7

    SHA512

    060b87c2e1b43322274df12054305d134c07d98e4ea5ac928b8d5d3249d8799b73c61fa6666894d0064d240b1b4fd4390354549974937b85ded9530636421cc5

    Download Submit

  • C:\Windows\SysWOW64\datngwpmqworrtq.exe
    Filesize

    512KB

    MD5

    936cf5160dca6f93e3f323fec9a689d4

    SHA1

    15ce34960dce9b1823e961fa8c1e9709e1087120

    SHA256

    ea14964a3b71794d2f59ce29220f9edf6c0bd94eed93da5235cb80d91ea83e9a

    SHA512

    d57092a0952cd73dca68b1f3e1c3bf804645563f1f135f5f1343b3a632b294fa624fd91c589e9fd31e298f78cc2f4ac12fae081f6bdf8c357a588596e5114d74

    Download Submit

  • C:\Windows\SysWOW64\kfffmpuvcvvaj.exe
    Filesize

    512KB

    MD5

    72417d24e4f4700bd4c882848a152d95

    SHA1

    c21f9b8bd95a5da9d97b24b64a53aac0e701103d

    SHA256

    fdd0da49f79f1eb9ad24890b612299e6783725bcd57ade385d9a53099b5a680c

    SHA512

    f5d57d2728f7b898554a43f04fca5d4210bbe655aac331de8a7475392e6f7e53fff84e64a7da3be1754937596b0465713adfc8c61cfc411e5bfc9ef90813a8a9

    Download Submit

  • C:\Windows\SysWOW64\uwqqpctm.exe
    Filesize

    512KB

    MD5

    a3d8c6a85abfdb35081e8be2567fbde3

    SHA1

    05533aefa67b5f5780c9cbb384f51a8f2baa0ede

    SHA256

    6e02a199be742f9757dd273570016ef08eb70c4f2a2d72a9095cf56caa6fbab2

    SHA512

    c6d93fe4722e25ad150aa0c749e1a8ea9e1d09b5b37ce1e48631df93ece888d7ebc0bdbda19eccb66c4e4db4d1a3e76f4d1df37474988386cdfa2df25a39d3f6

    Download Submit

  • C:\Windows\SysWOW64\zuiklcdgsl.exe
    Filesize

    512KB

    MD5

    e324a37078f017c2bf42bf0b29c496fa

    SHA1

    65381d9181a3e1987f8acae876e5b46a96dffe84

    SHA256

    1f0ef8d31e185ece723a0237a04c239c80bed6c65624836b4fd322d9900babcd

    SHA512

    5d5d62631fd3f740104a43bcd67c04ca5e71ff4b0f00d954f6c7523084b71f0715fe670950aa802ff80cb60d572427d7b5897a7c0a5e0b3043b139549ca00a0b

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    ebeb96913d8310666d5ac5d3eac2c905

    SHA1

    75f20bf1a763fd594c4d81ae95cf7072c33651bb

    SHA256

    a5892a85618316ae3a92abd87326a91a1c1d6a6389eab397538b0dfad45ad8cf

    SHA512

    9c03a44379bb58ff0b7114c7e79ca727cea3537674b6d3cc6943ac78b6186800af3b0bd18fbddf5056603880ced67ae1ae2ca6a17f083cac07c7e95308d62c1f

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    1aa34141981bbc11778275f22b788fee

    SHA1

    62bd3d8dc1815d967260fab3d624dcb83e7693d8

    SHA256

    04db1c309b93144f5a815d7c69f60aa48912b14ed82f23ec57d79cc0abe533c3

    SHA512

    0a92ca97cc73cbde15eb87a73fb0cad70b6b4f0b9b9f0de92a32550e116f610185991a4c0e50253cd2aa23106be0420f2bb2fab8b7d000712e6f5e427be6f8ed

    Download Submit

  • memory/1212-36-0x00007FF84C250000-0x00007FF84C260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1212-41-0x00007FF84A1F0000-0x00007FF84A200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1212-37-0x00007FF84C250000-0x00007FF84C260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1212-40-0x00007FF84A1F0000-0x00007FF84A200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1212-38-0x00007FF84C250000-0x00007FF84C260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1212-39-0x00007FF84C250000-0x00007FF84C260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1212-35-0x00007FF84C250000-0x00007FF84C260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1212-605-0x00007FF84C250000-0x00007FF84C260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1212-606-0x00007FF84C250000-0x00007FF84C260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1212-608-0x00007FF84C250000-0x00007FF84C260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1212-607-0x00007FF84C250000-0x00007FF84C260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4596-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download