Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    28/09/2024, 07:18

General

  • Target

    fbc7518bbfc4711c6ae1972891dbe7c6_JaffaCakes118.exe

  • Size

    295KB

  • MD5

    fbc7518bbfc4711c6ae1972891dbe7c6

  • SHA1

    ba97f5844951faa501eca586b7e5bf62b1a87667

  • SHA256

    cd57d3a1736fa1a9a7fc25c8d3911a076d5ce1b65876cb65695d0a00bcec4452

  • SHA512

    971204ff507a2fd479a767536db0fa6ca28a5805c6e632c4c020dd59b351c6457a0b76c5104304d38369bffcc0bc1a49e5fc88b87c5aaebd76de8285ac5d7985

  • SSDEEP

    3072:uOXpHv1O0dCoutpmN32wePesy9B10l4LGIkTMjr7bY3SK9ydtL7qm8GmNCcEmAYs:XpvCoSwLLlqM/Y876m8aqWVZuo

Malware Config

Signatures

  • UAC bypass 3 TTPs 2 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbc7518bbfc4711c6ae1972891dbe7c6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fbc7518bbfc4711c6ae1972891dbe7c6_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\F586.tmp\antimalware.bat" "
      2⤵
      • Drops file in Drivers directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "Wifi Tecnhologies" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\mssgnr.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2832
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnonBadCertRecving" /t REG_DWORD /d "0x00000000" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2400
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\system32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2872
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c dir "\Users\Admin\.." /b /s | find "prefs.js"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" dir "\Users\Admin\.." /b /s "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2844
        • C:\Windows\SysWOW64\find.exe
          find "prefs.js"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2548
      • C:\Windows\SysWOW64\attrib.exe
        C:\Windows\system32\attrib.exe -r -a -s -h "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs.js"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2284
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c dir "\Users\Admin\.." /b /s | find "prefs.js"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" dir "\Users\Admin\.." /b /s "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1896
        • C:\Windows\SysWOW64\find.exe
          find "prefs.js"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2580
      • C:\Windows\SysWOW64\attrib.exe
        C:\Windows\system32\attrib.exe -r -a -s -h "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs.js"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2820
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c dir /b /s | find /i "java.policy"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" dir /b /s "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2544
        • C:\Windows\SysWOW64\find.exe
          find /i "java.policy"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3056
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\" /b /s | find "mozalloc.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2836
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" dir "C:\Program Files (x86)\" /b /s "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2868
        • C:\Windows\SysWOW64\find.exe
          find "mozalloc.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2856
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s "C:\Users\Admin\AppData\Roaming\Admin.reg"
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:1412
      • C:\Windows\SysWOW64\attrib.exe
        Attrib -r -s -h C:\Windows\system32\drivers\etc\hosts
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2592
      • C:\Windows\SysWOW64\attrib.exe
        Attrib +r +h C:\Windows\system32\drivers\etc\hosts
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\F586.tmp\antimalware.bat

    Filesize

    13KB

    MD5

    a047b9925bfdbf4fd449fd81a72632f3

    SHA1

    b03a2a30d5da0d8812edbbf6f76169ddd83edc51

    SHA256

    768d77e9c377b4742259ab797c03901db2dfcd41f14c9c0dfbac11c4589c0822

    SHA512

    cf072e7e1f55c668d79048bb0b4249a2e6a3f86921960c722d62a1b2416cd9d1bc4766181b1670cb5e713b8d8875922c1b41741c52170f646a29e506eb700cd6

  • C:\Users\Admin\AppData\Roaming\Admin.reg

    Filesize

    841B

    MD5

    2e4d75b0fd4e7806f98459faa2e526e5

    SHA1

    26ce7c85a08542539c891a7fab03317d2b4109b9

    SHA256

    ec76a4fb3ab546dcc49ba135d3e3bde64d185b484d487d26ccb867faf203b6c3

    SHA512

    f721af6f4b4e1d419d258987c6de4b310b6998ec27a43093239a7e7e0922df56cb91898675024508702f19494fff4d8d1d61c4ae363fd579914312d371f9c00d

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs.js

    Filesize

    6KB

    MD5

    67a335ac2ca2e72f0187e687b4be054d

    SHA1

    21a687a07cde31feb8d298ebf6c4dd8cd43fc3f0

    SHA256

    a892f07aa263ff196610439a0a309abbf17e0b1a236d60338e3762cbd4eacbda

    SHA512

    0afc36883575171ef393a134d8b5fbae66e84a9aea030058e64c2f100e6bad63d2d313e402a0b4b0c7121dc62af8a9aa6940540159bbb29743464e2ba43e636b

  • memory/2748-0-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

  • memory/2748-24-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

  • memory/2748-165-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB