Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

07302e8a25...18.exe

windows7-x64

10

07302e8a25...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    01/10/2024, 19:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe

  • Size

    255KB

  • MD5

    07302e8a2533fd1b255a1e7ffa67e1f0

  • SHA1

    1fc108bcfee2c334545241be97b7db200342437d

  • SHA256

    4a58739beb97d2a3dc4d5d8c58157c16a80d486121292a96204beb72abbbaae6

  • SHA512

    159a0b9fa62d37c6d3e789df679c44324333046d4f25883b82a1a4b20c59ad01f76bd82ef2f3717fd95c6ed89302d0bee50e5e62b06fdd0a16cb35f223e4cbf5

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJw:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIx

Score
10/10
discoveryevasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 58 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 19 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Windows\SysWOW64\pmulnvyvco.exe
      pmulnvyvco.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1004
      • C:\Windows\SysWOW64\plshmjob.exe
        C:\Windows\system32\plshmjob.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3036
    • C:\Windows\SysWOW64\zbmdcnvhtztycdj.exe
      zbmdcnvhtztycdj.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2516
    • C:\Windows\SysWOW64\plshmjob.exe
      plshmjob.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2268
    • C:\Windows\SysWOW64\lasjdswuopdvs.exe
      lasjdswuopdvs.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:804
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1020

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Defense Evasion

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    6
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      a216c3d54c439a768584a114eccd0d2b

      SHA1

      7479a2180ef9a77b00a14cb4f2a07c8f95c36f50

      SHA256

      6d0bd5e11477125c66740abacf4a9e86fd156909ecdd28bfca85dd7eb8c5bfad

      SHA512

      252b67913e5791b6bd9453e34e32b1fe4eab8dcf0ebf2a5b94be67354519b1660b9b5089f0cab88113db6fdb262587737ba09ba856d66068b906a144e4bb76ff

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      255KB

      MD5

      1a006f3d48ffb1e957e92322e9390127

      SHA1

      74852ae0aa4d9d122621e96d4b8d16f6e6e113eb

      SHA256

      1e3847933e1d9c832791afbddda2cb89163af96cf55db22f87042253aa449a31

      SHA512

      8d3813ec03e0fbca73fb896521d3f79cc516425c0925265950f3cf53963e5e40d257161fb1ee39f93fccff330da83257a10e756095899319c927a6e792209d7a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
      Filesize

      437B

      MD5

      1987af2d8e926f88c2b21b9a702e05bc

      SHA1

      37681a5405dabf608dd9217fb47e3d63eac700e4

      SHA256

      485bd155b6ce9e478e346c79a1d732df961a222056bba01fd80cb5e2d769ae3d

      SHA512

      9fef3aebf4b2fe6ec6f53e647eed0f5dd10e554face51c5aa3ad674dbd7711efade9efae81ab376023fc49d420132d6ee1ecac4c222f0575e5b56854519a5dcc

      Download Submit

    • C:\Windows\SysWOW64\lasjdswuopdvs.exe
      Filesize

      255KB

      MD5

      4048c1b92ec3495138874e65015d1c6b

      SHA1

      488c134d88bcb84d5634f6badde813bc1f5821ef

      SHA256

      baba2de098cba42b0f97d6ecae7649d2cf15705ffa8a478c59b76229f5453223

      SHA512

      c14ea4787c2eabf8ed5f76917a8144b675ef25b653f3636ec05703af55c97a58fcfc0ad99a09dedd5614be5baf6eefead18c4af2272d8b2108a821ba95297161

      Download Submit

    • C:\Windows\SysWOW64\plshmjob.exe
      Filesize

      255KB

      MD5

      3ef6c064b5024443bf97563e6e1d8c35

      SHA1

      4f4ff68283b0f1c05600d1999b2151941a53182e

      SHA256

      2cc0ca97055c03d76463592d78dbbc7f8a229c78426c904ae238a4720f4056ad

      SHA512

      e5f5cbaa67afa3bfded09aa1cbe2ff3c0e0b49ebf9080ce842ec052db98f4f14168aa83faf4eec469e481ea9a93368477f1364c936096114d330663b4d15c7ab

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\pmulnvyvco.exe
      Filesize

      255KB

      MD5

      335e17ad99474baa51be08c988c1ccd5

      SHA1

      0ba01ab05200c957022a06124a36ab3d99457d01

      SHA256

      3fa234940002da94869979143b504c7038e83de682630dc29798600337536cc5

      SHA512

      cca45c7fa7f87b6980aa4aaa35de7618d2ad1087e67b9dc4e4175c38d7da4f8f1005c59a75ec26f186698687a7493ec42fe140e54630e11b340caa434a8c21e1

      Download Submit

    • \Windows\SysWOW64\zbmdcnvhtztycdj.exe
      Filesize

      255KB

      MD5

      f91cee2e7da701a0df13e0b1588913f5

      SHA1

      ced9305054281c0a6a25639d3e6ec8b7b4b92ae1

      SHA256

      c968f0e601624f8d95ae504eb7edc0843c2b1f21ea3a959bbedf159d8b42ca64

      SHA512

      ec02faba0b5490a529fdabf7b82e3d553ae7db9643089a07e4923716bcf783fedefc563a62b63ed9587a94c2769b28b81e5fb32c9a2580257c8b82507fa9f1a9

      Download Submit

    • memory/804-42-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/804-124-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/804-137-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/804-134-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/804-131-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/804-143-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/804-128-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/804-140-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/804-101-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/804-146-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/804-149-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/804-121-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/804-118-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/804-115-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/804-95-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/804-106-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1004-129-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1004-138-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1004-98-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1004-147-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1004-96-0x0000000004070000-0x0000000004110000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1004-132-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1004-103-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1004-29-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1004-144-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1004-49-0x0000000004070000-0x0000000004110000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1004-122-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1004-108-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1004-141-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1004-126-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1004-119-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1004-92-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1004-116-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1004-135-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1864-35-0x00000000032B0000-0x0000000003350000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1864-45-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1864-19-0x00000000032B0000-0x0000000003350000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1864-0-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2268-94-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2268-113-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2268-105-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2268-37-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2268-100-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2516-127-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2516-36-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2516-148-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2516-99-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2516-123-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2516-133-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2516-120-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2516-136-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2516-117-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2516-93-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2516-104-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2516-130-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2516-139-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2516-109-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2516-145-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2516-142-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2960-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3036-107-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3036-97-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3036-114-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3036-102-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3036-50-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download