Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

529c119d77...18.exe

windows7-x64

7

529c119d77...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/10/2024, 16:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    529c119d77f942f4b40478de71153b31_JaffaCakes118.exe

  • Size

    6.2MB

  • MD5

    529c119d77f942f4b40478de71153b31

  • SHA1

    7fe9ef6b3697370597a051cfd9e3f1fbd495b6f2

  • SHA256

    50b817a59adb7320afe3d3ee6889b95ae1f93f097b04ad80970e4814cdfd0009

  • SHA512

    c20934a25de5cf118a622f26fe910a4c122493cb1a3fbfed89ab9e7fdda77e006e3acf10c10c41072c43819205bd4fafed86e395c94f1f7b1572b6b65914fb5d

  • SSDEEP

    98304:Bzyhh5OoQGVSreXLqdxygFEJbrTv6qk6d6CgRThIdby7vryufkFTmaSn:BzytBQte58EJb+CQTC47TyufYjSn

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 28 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\529c119d77f942f4b40478de71153b31_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\529c119d77f942f4b40478de71153b31_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Windows\SysWOW64\MSIEXEC.EXE
      MSIEXEC.EXE /i "C:\ProgramData\Turning Technologies\{02A4197B-9014-40F0-B6BB-09102159EED0}\ResultsManager.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="529c119d77f942f4b40478de71153b31_JaffaCakes118.exe"
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2432
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3256
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 466F6E2321C5B1FA39A806D0D6144786 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4544
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3332
      • C:\Program Files (x86)\Turning Technologies\ResultsManager\RMLanguage\langinstall.exe
        "C:\Program Files (x86)\Turning Technologies\ResultsManager\RMLanguage\langinstall.exe" 1 AllUsers "C:\Program Files (x86)\Turning Technologies\ResultsManager\"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4056
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:3732

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e586770.rbs
      Filesize

      332KB

      MD5

      c3a3e302a9e03199834017864323a002

      SHA1

      8e3e478219ca45a2aad91d84da10b52983f85f81

      SHA256

      f723619640f1b29faf6a32a67ca722a46fbd48c5a7c9990f433dc47516af1dc9

      SHA512

      68fc59aaf41f7f241cd3398a4c0d86f496bf74bdac482544b469cc39d7d214efb0fb6a21125beb4985f89baf6df353b2a702810049340aa237dce6e4d73a6db1

      Download Submit

    • C:\Program Files (x86)\Turning Technologies\ResultsManager\RMLanguage\LangInstall.exe
      Filesize

      32KB

      MD5

      779ca48477ecf5ec91db153cc7b11710

      SHA1

      b974fa7a0de497929efe13fb87ddc55c06c0463b

      SHA256

      410c7a65524c5923ed492fe26966cd940ad967782e955417e81fe5b2135722c2

      SHA512

      92c710451e062397fed23fb209fba6ee4aaf8feac7dde2cf85511b67fe6f18c286834be0a1fb94d3792d378c0e2daabf7a029372b8a5589790f0cb35ef665f79

      Download Submit

    • C:\Program Files (x86)\Turning Technologies\ResultsManager\ResultsManager.exe
      Filesize

      5.7MB

      MD5

      654cc593b156e041cf060cbf7e3d19bd

      SHA1

      b7005acb30e92f215aef7a8e6f5d133b281d7def

      SHA256

      347c85b5b7f77f11012f154eaf1d67aac0e73ba0718ea70deeae2348ac1077cf

      SHA512

      85821dfcedb06ee2a739b1c0ee908a674cdbd4442e9d2f0ffa497c2468a5b38943bf49697461635cb35a0f2038ef676a26a51c75cc2ac4addf44f02779c11de0

      Download Submit

    • C:\ProgramData\Turning Technologies\{02A4197B-9014-40F0-B6BB-09102159EED0}\ResultsManager.msi
      Filesize

      6.7MB

      MD5

      496aa443001133bbf1711aba0d1304bf

      SHA1

      7d6f5fdbe335460bc7a79764ee4e1d88b7c3da41

      SHA256

      7152a694ba403656297f52839cff86948f1ff69170e9a84d26b289069c68af71

      SHA512

      5d462cad818344ee3accbf474bd975656650dae7bec3e1265a4421dd8cf471804b34986ceb04f6dca90a964fa9cacf7136fcf5200d3b056b26a8aaf7dc876f9a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
      Filesize

      306B

      MD5

      7ff11e99671f6f44dcf19f098a8e07d3

      SHA1

      10a36cb46f4923731166484c440402d4525a36f1

      SHA256

      58a67ff3b5d2c7436faa796b1aaa355bb2f6fa1ea15514103f53199e69f6b65e

      SHA512

      92796b3c433c5be886598bddb6f6024c65cd09149f8464697e2b4e8933a1a74bbd6bcc5d4fc4e874baa77bcfdab0b6c7a2ef60a8b8cb06c59593d16cdc684cd6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
      Filesize

      466B

      MD5

      7be3a290648de1cbc263285b1fcca644

      SHA1

      da4dfbc6d47a07090f48f60879d0168291ebfff2

      SHA256

      3a12922397153c58dd7e4ae96251b006b4dcbc84163e23a2cd8b6a111d6c3723

      SHA512

      4464b303a95ecc35188cd10f6eb89e696d1288c152a51eac1832a5dbdc5d6c8f8ab7e5ae82948233515d53a5fe04887fbb11fd897a5165541250c473848a5b18

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E7B158B31D45761A93C56C441E33DD68_75199AA9D5EF05805982F56A43B8D77D
      Filesize

      5B

      MD5

      5bfa51f3a417b98e7443eca90fc94703

      SHA1

      8c015d80b8a23f780bdd215dc842b0f5551f63bd

      SHA256

      bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

      SHA512

      4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
      Filesize

      208B

      MD5

      b657f07dccc82c8a65df883deb8f69ad

      SHA1

      d051c85afaae19d6eb2c91de454167fe34c860be

      SHA256

      be85881a8c37925e65125ff9093995ee95d619b72a4026bf644dce021debe676

      SHA512

      a136703b0dc97f9d06f011bba2a55cbaa910d75b72d49d7e5e00f37c40c5593891fc1e800a319a91da372771f302ba211b1212ba5f4a1561097e39e9cecfd30f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019
      Filesize

      242B

      MD5

      fdc7825d2b7d87c88d17fe039f393340

      SHA1

      466693d3319c1a5fe59caaa02997641dd0d13738

      SHA256

      080148dedd0453c43af77cd2fa6697e9e6daaa0a865522526ec6a6baa1a4286c

      SHA512

      2541270d65afdeae35cca9eb42a6ea1c23e4abc45bb9f6ba011104decf777c64eb9448163967f553287cc4363403b5aab1bd36a0048869597488fc8ff745df18

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E7B158B31D45761A93C56C441E33DD68_75199AA9D5EF05805982F56A43B8D77D
      Filesize

      408B

      MD5

      9851f7a320828349f16ab7600e989e77

      SHA1

      4d19698067be8544da2754ea352d7e9d01f8681d

      SHA256

      bb5649ceb2f0a9f99dfbab281040670adef5cc9ac9981e8cfeccb3870abebd90

      SHA512

      024dc4b66f3b8273c32ee6b8e026460250dcf7a7066d6d58c49a34985a004af6b481ae844e8577a96c31e2c95a5684795fd02868d662da002e105042e6a20ba0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSICA84.tmp
      Filesize

      122KB

      MD5

      2c65cc2f1516e8eed2f01ee5efa60c93

      SHA1

      fa8ace92bdf6cb522357384b352389d08b0464de

      SHA256

      1af4d7548834c516d02c04e13f446dfb528e01f3352eabe8a6c7528e4caffeca

      SHA512

      f5a55023883795a0c27020ffcf6b4a33c37faefa808e45afbeea1f1b8eb07c4b6a82ef4dfc729d66d8cf93f8f7ffaf3f36e0c7c1cd7cddd76934b23380567f03

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_isB1C1.tmp
      Filesize

      1KB

      MD5

      05a53902617b8389ebe59526b29c4727

      SHA1

      5f3601007600400114e123e6921ba17d42bd4458

      SHA256

      510965c3acfc11d5544377fc014e6a45125daf21c0b215f1ec190d04116bcce5

      SHA512

      377b6a275fc5f3a2d49dea98421388ec4989d9529ae51d1778def1467e2cc600f8f28bdbde755e2a12b31b60fb80c972ebec15a78539f4aa53e7d166311ead6d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{2DDE27BF-D05A-4BFC-90F5-99DD3080F993}\0x0409.ini
      Filesize

      21KB

      MD5

      be345d0260ae12c5f2f337b17e07c217

      SHA1

      0976ba0982fe34f1c35a0974f6178e15c238ed7b

      SHA256

      e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

      SHA512

      77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{2DDE27BF-D05A-4BFC-90F5-99DD3080F993}\_ISMSIDEL.INI
      Filesize

      20B

      MD5

      db9af7503f195df96593ac42d5519075

      SHA1

      1b487531bad10f77750b8a50aca48593379e5f56

      SHA256

      0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

      SHA512

      6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~B1BE.tmp
      Filesize

      5KB

      MD5

      417ca8c81188b97bae37f583ff96204e

      SHA1

      9a0224380f6c4b2b93ab3a9b53b3497ddc2071da

      SHA256

      70ed121b453afb372a84fb141ddb63795cd3a3738e46dd4300e4d2554adf597d

      SHA512

      87aea8084c0fce3184a833ecc0b26af7548aa98f7241d7eb84f6d799f782321d9efbdbb614eeccbf8c4a015a0105bd4f3bd4228efb7d507deab104cf228c4aa7

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.1MB

      MD5

      e466583a91fb676a4d53d78ab81626a3

      SHA1

      684ea3b84e391aa2fa23faa8053cb1a296ce4204

      SHA256

      4a970b8812a87154456293ef9a5a506792797816566cec0b9a6950620b1b546f

      SHA512

      83a9a91764d60f1ccdbfeefe82f8445737ccc6e2ec34c5b0c9d853dc8fce618cf2d63aa4e614358bf7db330f8163856b515de7415b5349515365d99239964ba6

      Download Submit

    • \??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8c941140-4426-491c-b052-64116bd4c0ed}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      4a039f5e70fbf7c8445a91a0a6dd0e0a

      SHA1

      087a153ed84f4a66d2085b1810892ed9f44d8c5c

      SHA256

      72b2af44f67c9851542f53ddb268b0c1a86e4e72389727b376036fad3a575e07

      SHA512

      929dec51f6ff1c0d31cbe6723bf00c6264ae54bb17c07969a50e164177c0bbcfb6bb34edb124afe8e497ff4e756eb4817e7c5569baadcc5bb4ea4ff43e5e150d

      Download Submit