Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28/03/2024, 09:28
Static task
static1
Behavioral task
behavioral1
Sample
022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe
-
Size
463KB
-
MD5
022cdd46e12a85a8d03339eba5b19997
-
SHA1
efdd42cddb3acf19f5304e9072cfb5fc7da6d32e
-
SHA256
c8d543bd6e7932a1ec3dc31da1743ff78878eff55a741d276ef8f3f5bae73575
-
SHA512
23b9f6c3bff1333939861fa231f5b40652bc15e40f0c04ac6cf89326ce65c579e02842c5f9fdb6117d237c240d446e9e0e93559002c0176ad12ac4a307a5fe69
-
SSDEEP
6144:47kWcDpi78KSrafqV5areuyFwBqgmGNGXN/O8OCLF1Lkl1QMyBVk/7bgRmg+LAKG:47lc87eqqV5e+wBV6O+K/Cm1Lxgp
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2952 mounINFO.exe 2604 ~16EA.tmp 2708 bitseout.exe -
Loads dropped DLL 3 IoCs
pid Process 2092 022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe 2092 022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe 2952 mounINFO.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\rasdeown = "C:\\Users\\Admin\\AppData\\Roaming\\ctfmltMC\\mounINFO.exe" 022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\bitseout.exe 022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2952 mounINFO.exe 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2952 mounINFO.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2952 2092 022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe 28 PID 2092 wrote to memory of 2952 2092 022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe 28 PID 2092 wrote to memory of 2952 2092 022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe 28 PID 2092 wrote to memory of 2952 2092 022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe 28 PID 2952 wrote to memory of 2604 2952 mounINFO.exe 29 PID 2952 wrote to memory of 2604 2952 mounINFO.exe 29 PID 2952 wrote to memory of 2604 2952 mounINFO.exe 29 PID 2952 wrote to memory of 2604 2952 mounINFO.exe 29 PID 2604 wrote to memory of 1156 2604 ~16EA.tmp 20
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Roaming\ctfmltMC\mounINFO.exe"C:\Users\Admin\AppData\Roaming\ctfmltMC"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\~16EA.tmp1156 474632 2952 14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604
-
-
-
-
C:\Windows\SysWOW64\bitseout.exeC:\Windows\SysWOW64\bitseout.exe -s1⤵
- Executes dropped EXE
PID:2708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD586dc243576cf5c7445451af37631eea9
SHA199a81c47c4c02f32c0ab456bfa23c306c7a09bf9
SHA25625d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a
SHA512c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4
-
Filesize
463KB
MD5c879637367dca33847c5ca859041b92a
SHA1ae84826a1916c0f3be187e802bf43a22684d085d
SHA256687882142f94841e1db327888bb4f0d42c89429ec73800b21234b739c4f5f71c
SHA51264821fda788d96f1669018cd2349d28020f17b85b3fc36c236f9df7d1eb6d427bb7c6e18f14091839a930f1fc8e02f1d2bd88e1472e577d9b7995da70c7848fd