Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 14:41
Static task
static1
Behavioral task
behavioral1
Sample
e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe
-
Size
48KB
-
MD5
e2c3b7f7c00a530129b4a6ca45c121f6
-
SHA1
298e23a73a15a70826d11eb0842e4b0729c0e5a3
-
SHA256
b794d301da1dd4bcec3ea2911e9ccaffc96dce8e6ba3b279dd96dcfb4b622034
-
SHA512
29592741c1ac3e48d20db04ed34b282289d734c647e382e11fdd41d96ca4bdf060829327337c40db9972f4ac3c822567ea875cf997a8a5dae00c85735cf265e7
-
SSDEEP
768:/4OZ8qZjU9RLtUPmCEgfWrGyaQ6sQr+8hqOrlLLRhC6SwuWrwt:/4OZ8qZjU/L+zjfW9T7Qi0/RYDwult
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Windows Live Guards = "C:\\Program Files (x86)\\winlogon.exe" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 2532 winlogon.exe 2144 winlogon.exe 3036 winlogon.exe -
Loads dropped DLL 6 IoCs
pid Process 1268 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 2612 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 2612 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 2532 winlogon.exe 2532 winlogon.exe 2144 winlogon.exe -
resource yara_rule behavioral1/memory/2612-33-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral1/memory/2612-34-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral1/memory/2612-37-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral1/memory/2612-41-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral1/memory/2612-42-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral1/memory/2612-43-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral1/memory/2612-100-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral1/memory/3036-111-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral1/memory/3036-113-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral1/memory/3036-114-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral1/memory/3036-115-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral1/memory/3036-116-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral1/memory/3036-117-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral1/memory/3036-118-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral1/memory/3036-119-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral1/memory/3036-120-0x0000000000400000-0x0000000000412000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Live Guards = "C:\\Program Files (x86)\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Live Guards = "C:\\Program Files (x86)\\winlogon.exe" winlogon.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1268 set thread context of 2288 1268 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 28 PID 2288 set thread context of 2612 2288 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 29 PID 2532 set thread context of 2144 2532 winlogon.exe 31 PID 2144 set thread context of 3036 2144 winlogon.exe 32 -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\BearShare\Shared\ winlogon.exe File created C:\Program Files\ICQ\Shared Files\ winlogon.exe File opened for modification C:\Program Files (x86)\winlogon.exe e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\winlogon.exe winlogon.exe File created C:\Program Files\KAZAA winlogon.exe File created C:\Program Files\Morpheus\My Shared Folder\ winlogon.exe File created C:\Program Files\Grokster\My Grokster\ winlogon.exe File created C:\Program Files (x86)\winlogon.exe e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe File created C:\Program Files\LimeWire\Shared winlogon.exe File created C:\Program Files\eDonkey2000\incoming winlogon.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2612 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 2612 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 3036 winlogon.exe 3036 winlogon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1268 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 2532 winlogon.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1268 wrote to memory of 2288 1268 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 28 PID 1268 wrote to memory of 2288 1268 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 28 PID 1268 wrote to memory of 2288 1268 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 28 PID 1268 wrote to memory of 2288 1268 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 28 PID 1268 wrote to memory of 2288 1268 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 28 PID 1268 wrote to memory of 2288 1268 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 28 PID 1268 wrote to memory of 2288 1268 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 28 PID 1268 wrote to memory of 2288 1268 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 28 PID 2288 wrote to memory of 2612 2288 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 29 PID 2288 wrote to memory of 2612 2288 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 29 PID 2288 wrote to memory of 2612 2288 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 29 PID 2288 wrote to memory of 2612 2288 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 29 PID 2288 wrote to memory of 2612 2288 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 29 PID 2288 wrote to memory of 2612 2288 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 29 PID 2288 wrote to memory of 2612 2288 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 29 PID 2288 wrote to memory of 2612 2288 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 29 PID 2612 wrote to memory of 2532 2612 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 30 PID 2612 wrote to memory of 2532 2612 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 30 PID 2612 wrote to memory of 2532 2612 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 30 PID 2612 wrote to memory of 2532 2612 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 30 PID 2532 wrote to memory of 2144 2532 winlogon.exe 31 PID 2532 wrote to memory of 2144 2532 winlogon.exe 31 PID 2532 wrote to memory of 2144 2532 winlogon.exe 31 PID 2532 wrote to memory of 2144 2532 winlogon.exe 31 PID 2532 wrote to memory of 2144 2532 winlogon.exe 31 PID 2532 wrote to memory of 2144 2532 winlogon.exe 31 PID 2532 wrote to memory of 2144 2532 winlogon.exe 31 PID 2532 wrote to memory of 2144 2532 winlogon.exe 31 PID 2144 wrote to memory of 3036 2144 winlogon.exe 32 PID 2144 wrote to memory of 3036 2144 winlogon.exe 32 PID 2144 wrote to memory of 3036 2144 winlogon.exe 32 PID 2144 wrote to memory of 3036 2144 winlogon.exe 32 PID 2144 wrote to memory of 3036 2144 winlogon.exe 32 PID 2144 wrote to memory of 3036 2144 winlogon.exe 32 PID 2144 wrote to memory of 3036 2144 winlogon.exe 32 PID 2144 wrote to memory of 3036 2144 winlogon.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe"3⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Program Files (x86)\winlogon.exe"C:\Program Files (x86)\winlogon.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Program Files (x86)\winlogon.exe"C:\Program Files (x86)\winlogon.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Program Files (x86)\winlogon.exe"C:\Program Files (x86)\winlogon.exe"6⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3036
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5e2c3b7f7c00a530129b4a6ca45c121f6
SHA1298e23a73a15a70826d11eb0842e4b0729c0e5a3
SHA256b794d301da1dd4bcec3ea2911e9ccaffc96dce8e6ba3b279dd96dcfb4b622034
SHA51229592741c1ac3e48d20db04ed34b282289d734c647e382e11fdd41d96ca4bdf060829327337c40db9972f4ac3c822567ea875cf997a8a5dae00c85735cf265e7
-
Filesize
2KB
MD57d789ed47fe14ba828e907e46035499d
SHA17b5fe9025f5fffc1639c604b3784db333de2c459
SHA256b286ea5967864bdd4188e60d22830ebd92cedb7ba1f5119b313eb03b2b174a19
SHA512afc27bbc66b740d8dc8e82639ab1487d486e2fd002c21edfd78e791877569168906243048ee23e86a9cd1cd365579e279340221b9181d055b1334f90053d4541