Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 02:53

General

  • Target

    2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe

  • Size

    47KB

  • MD5

    2987971c53a3e3ea7de63d5aeb2a9cee

  • SHA1

    86ffe38cf6175ecf6a127ecbcf70d83782e175c0

  • SHA256

    dae216f68b95d8f6e77d6089d5db382a87f1fa75c093f1f83656d091cae7bde9

  • SHA512

    93c11a9949005ee74daaab94bf7f480b194d03f323d88d7a691fb9759be7d8163f29b3ca1b481f4987cc4b06e8ee53633baabe67a524418a9fb281edd17c87a8

  • SSDEEP

    768:rmNnDSb5J3a0N1DZKRkC4beGLJ8tRWX+mMKqRxXGFT0nEWa:SO1W4qzcjFqPGFA

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe"
    1⤵
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\RAWNCSEMZD5.EXE
      C:\RAWNCSEMZD5.EXE FDONSZUYCQS
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2276
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "c:\windows\fdonszuycqs.dll"
      2⤵
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2912
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\U64RW37S5EZ.BAT
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /u /s itss.dll
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2916
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        PID:2920
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        PID:2888
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s jscript.dll
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2860
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /u /s scrrun.dll
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2160
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        PID:3068
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        PID:2820
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        PID:2876
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        PID:2524
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /u /s vbscript.dll
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2940
      • C:\Windows\SysWOW64\reg.exe
        reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2956
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /u /s msvidctl.dll
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\RAWNCSEMZD5.EXE

    Filesize

    10KB

    MD5

    f2da5ae8487e3f7572e325334e54cf61

    SHA1

    45036bae670a2253c038092ec0cdf6ad34e13021

    SHA256

    1d87765c85931b53cede519163ed1de17e824584552f8d9747bdb5623dd640f2

    SHA512

    c611a49edf753110572133128a84d107b95f55fcb31b9ded1e86241651ee3e5033e2a637127caf857d60aeb3e2e902d8ca3ef7db34a3742a995a1316b2fa30e0

  • C:\U64RW37S5EZ.BAT

    Filesize

    1KB

    MD5

    8ad83a51d415c7d5d2beaf01d8083b23

    SHA1

    700fa9f0d42671a9086d02113eb892daab20e0b5

    SHA256

    39548db3192c9be6caa33eb253fcfa311d0e80f72e91162f1fa303f147caaacd

    SHA512

    23a34ded9eb7ae0813eb213a1441a3f1d03ee924a1131f874a2af00427f129896fb3287f71955fe106004f2e728a43bedea68d4a97c338b5f0aed5df187bb172

  • C:\Windows\FDONSZUYCQS.txt

    Filesize

    47KB

    MD5

    229c68dcdcbeab291fc2fc08b48838da

    SHA1

    defaf680480f5ee990adf3b5b4653275da07d188

    SHA256

    590e2789a31fe522e8deaae46131475c5f48c671495436e233fb2e3020ac9c1e

    SHA512

    9af5bb181250aec6638db41da0419e6d2b96aa77b5795aa13cb09930a0c6048e5447a9fd2d43c3628bba3d25572630decbcf45a5b585a54cc7f46290d7b06ac0

  • \??\c:\windows\fdonszuycqs.dll

    Filesize

    28KB

    MD5

    82ac13500b978fdb07c73e504a871498

    SHA1

    5e8478e261b48d63ca460bee85dde9cf62688407

    SHA256

    fd8f4a34328e6299045a455777b74f2f0ccf4fdca8899f66d1ee10d2a15284bc

    SHA512

    7620fd5885eea7f9a9d3a4f22f36470439cf01bfbd31eff6e06beec7d2b4b951080533572e2b9a5fa42c4c7cafe1c09ae000d4d2ca3ee7282a1b050248d8902e

  • \Program Files\4QWBYHBE0\E7FMR47BEU.EXE

    Filesize

    47KB

    MD5

    2987971c53a3e3ea7de63d5aeb2a9cee

    SHA1

    86ffe38cf6175ecf6a127ecbcf70d83782e175c0

    SHA256

    dae216f68b95d8f6e77d6089d5db382a87f1fa75c093f1f83656d091cae7bde9

    SHA512

    93c11a9949005ee74daaab94bf7f480b194d03f323d88d7a691fb9759be7d8163f29b3ca1b481f4987cc4b06e8ee53633baabe67a524418a9fb281edd17c87a8