Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 09:38

General

  • Target

    2ed33134b7dcec4f0867dbe2a33d3563_JaffaCakes118.exe

  • Size

    267KB

  • MD5

    2ed33134b7dcec4f0867dbe2a33d3563

  • SHA1

    885957f5db7e80eda733a3bcdeec6e96d8d1cc40

  • SHA256

    e54c970c070eb06342ed87ad37d1c1564bf2cc85c685956b4a41832b4fc2492a

  • SHA512

    a9d3bfa3dd49b44f03f4dea5db139219468a3aadcb914f093751f88815684d55b12ae1505277a8c77c439cbaab6383af617f23a0eab3fa5a819a65137b79c473

  • SSDEEP

    6144:CpbT0bxaCI4K92iwuEPNJ8CB7qxcVIDezd8zaz72i:RaCh+2V38TxQAezCzq

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 28 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 30 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ed33134b7dcec4f0867dbe2a33d3563_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2ed33134b7dcec4f0867dbe2a33d3563_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /Q /C "C:\Users\Admin\AppData\Local\Temp\ac8zt2\install.bat"
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Users\Admin\AppData\Local\Temp\ac8zt2\etna.exe
        etna.exe C:\Windows\mpfanvqg.dll mpfanvqg
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2080
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s pvnsmfor.dll
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:2548
      • C:\Users\Admin\AppData\Local\Temp\ac8zt2\etna.exe
        etna.exe C:\Windows\vbksrofa.dll vbksrofa
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:1696
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /s C:\Windows\fvowketqsoq.dll
        3⤵
        • Installs/modifies Browser Helper Object
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2932
      • C:\Users\Admin\AppData\Local\Temp\ac8zt2\oadkxrts.exe
        oadkxrts.exe reg
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2044
      • C:\Users\Admin\AppData\Local\Temp\ac8zt2\etna.exe
        etna.exe repog
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2024
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /Q /C C:\Users\Admin\AppData\Local\Temp\nse477F.tmp.bat "C:\Users\Admin\AppData\Local\Temp\2ed33134b7dcec4f0867dbe2a33d3563_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2352
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ac8zt2\etna.exe

    Filesize

    88KB

    MD5

    7d142bb4dff32858f88fab0733c62c32

    SHA1

    ba786bea4bc39ea5bdd83ee67491d52961e63ccd

    SHA256

    76b3cb854815b224000cda244809e3f968b977571fd18b7e91c0a069f0492eba

    SHA512

    cda12c7895ea03a2675fb62b44a1dab35dccc4b22a9ef3e2630445a55969039fb31bcbcdd5831364010e00bfef3a6432e6c5d50cf7b16195225413b0a2a828b9

  • C:\Users\Admin\AppData\Local\Temp\ac8zt2\fvowketqsoq.dll

    Filesize

    216KB

    MD5

    a193f565fe3e02871a187e274da25d3d

    SHA1

    54dddb12e91661205b89af126140b562e11ff416

    SHA256

    2227655ef6c436aee13a4bbc40c59491849957d2be62782b132c49c5c85208db

    SHA512

    ac4032148d3ca3480ff8cabb497d958c3111703ee169efa21b3c8e8bfabbdc0012cad91b32ab11649fd6cff627ec0cc47b4a585fb1cd84015012b9421471ad2d

  • C:\Users\Admin\AppData\Local\Temp\ac8zt2\install.bat

    Filesize

    1KB

    MD5

    4e5e1532e041c3833f33ea0510db9092

    SHA1

    79b661ece690c05cc1f5f10f7b6b2c1dab3e639b

    SHA256

    068f0ae0f4d76c06735fe78df5641fca4c3ed9abb3e736b6d5847b5f6de6ab62

    SHA512

    5067d36cfe3c531781be29a700b4169b715ca52ab0f65081c545ba882086792148ba17c9fb30933654c2a0ccf56409524fa8f72d2141c156c4101925177a02a3

  • C:\Users\Admin\AppData\Local\Temp\ac8zt2\mpfanvqg.dll

    Filesize

    164KB

    MD5

    b7202932970db98b94f17ef7ea13d05b

    SHA1

    352cb16065896cc6d5395babaef49c424556a250

    SHA256

    22d7b5226b0079818adf1c6b2e73142e10aa75228c8a5752fb4b2339e549cacb

    SHA512

    32a424baa2cfe1e8e207f27ee56168a9aafbd95284abb9b2adb037000819608ec2c305fad2b5d441cf26e165209c477eff94577c8d2a9654902025de18443d98

  • C:\Users\Admin\AppData\Local\Temp\ac8zt2\oadkxrts.exe

    Filesize

    80KB

    MD5

    4cf673b657b08a2c8fb8151c1e653ea6

    SHA1

    0c2a415e37dd10d7a80132d0a63128dabea2c4e3

    SHA256

    1a8b7e95c33835ba3ab309003d018e84d357cb555bb2b6e38a4864f3d8aa5c88

    SHA512

    15c8545d5237aee6062b9e98448afd053cb29ec14e48eac75d353dcb5fbbee0b8143e06bf26891516963b413add3131ab3597ce0281486a335092a46e104b1d4

  • C:\Users\Admin\AppData\Local\Temp\ac8zt2\pvnsmfor.dll

    Filesize

    148KB

    MD5

    b7ff268d0acdf25014dc0a3c6a360176

    SHA1

    42b6124139159ccc23c9bfc2920f72515eac536a

    SHA256

    9fe36d52e2084ffa50fe1b883acbb232e424a1cc398486200b1d51ae59e4c92d

    SHA512

    9fe4e7fa36455075de2bc181bef3ea861e1055c60900488fc3f3465e47e9afc82d6cb55378ea103cf3c077a5d131f250353eb265d1352cde641a89978effa240

  • C:\Users\Admin\AppData\Local\Temp\ac8zt2\vbksrofa.dll

    Filesize

    212KB

    MD5

    5d98bea53fb418d2a7e67c276f07a961

    SHA1

    3b72866ffefd0346fba0751a800350f57dda3e9b

    SHA256

    4ef85b1e8938b2802df7e11c8ba3a2e1a7fe60c45fbdf9a8d23af039103d8e00

    SHA512

    017cbac43d017a081cfb9f9bcc22659e2eb407353c92162e5900254f0cd1ba4ceb07084f43b69d3565e5698d0b2decb8c176d843e19d8d15f02bf56db690eb3d

  • C:\Users\Admin\AppData\Local\Temp\nse477F.tmp.bat

    Filesize

    113B

    MD5

    ec7bc689d746f2ecb15e63d1f71acd6a

    SHA1

    5e58f8078aa975c1ee83392fb149a3d8b8943c54

    SHA256

    d575705505403b688975677f1abf19f5d35072a54b68cbc07ab4d3ee03e6eec9

    SHA512

    24797cbff32ab0da8f1da868e78e24c59c115321d74eed4dafe60b882936b680e3086f4e1280a32b30cd02b0ba18c9c87d809bb09e47ba80c19de97a06fd4a8a

  • C:\Users\Admin\AppData\Local\Temp\nst42AD.tmp\System.dll

    Filesize

    10KB

    MD5

    7d85b1f619a3023cc693a88f040826d2

    SHA1

    09f5d32f8143e7e0d9270430708db1b9fc8871a8

    SHA256

    dc198967b0fb2bc7aaab0886a700c7f4d8cb346c4f9d48b9b220487b0dfe8a18

    SHA512

    5465804c56d6251bf369609e1b44207b717228a8ac36c7992470b9daf4a231256c0ce95e0b027c4164e62d9656742a56e2b51e9347c8b17ab51ff40f32928c85

  • \Users\Admin\AppData\Local\Temp\nst42AD.tmp\blowfish.dll

    Filesize

    22KB

    MD5

    5afd4a9b7e69e7c6e312b2ce4040394a

    SHA1

    fbd07adb3f02f866dc3a327a86b0f319d4a94502

    SHA256

    053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

    SHA512

    f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

  • memory/2640-107-0x0000000002740000-0x0000000002750000-memory.dmp

    Filesize

    64KB

  • memory/2932-81-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB