Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 14:45
Static task
static1
Behavioral task
behavioral1
Sample
e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe
-
Size
207KB
-
MD5
e2c5b227b63fdcb06b7ed7e6b1ef453d
-
SHA1
5d082a6dd013b03e3cb2645813220bd8cfe221a6
-
SHA256
3a8b0c66b39809faeca7d8e618b88e15bf0ad5cceea7799ab93034127834280a
-
SHA512
ca5bae235c5896f538a5a3d49ed30d90940bcc509155aab10dabfcf37e78e9dd8f8cd33ef65d1ec8ddd06ff7400a38dc61bd8aea973db793c9c1d265bbc24669
-
SSDEEP
6144:dyDhODiJ4hfV4uRxnwei8ej0EJfhs+5kKFVBfKKnsl:dymx4uR9JejNt+4VB1e
Malware Config
Signatures
-
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 2932 nfp.exe -
Loads dropped DLL 2 IoCs
pid Process 1956 e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe 1956 e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe -
Modifies system executable filetype association 2 TTPs 17 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\open\command nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\nfp.exe\" -a \"%1\" %*" nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\ = "Application" nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\open nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\start nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\Content Type = "application/x-msdownload" nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\DefaultIcon nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\runas nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\runas\command nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\start\command nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\DefaultIcon\ = "%1" nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" nfp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe" nfp.exe -
Modifies registry class 41 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*" nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\Content Type = "application/x-msdownload" nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\nfp.exe\" -a \"%1\" %*" nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\runas\command nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\runas nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\runas\command nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\open\command nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\open nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\nfp.exe\" -a \"%1\" %*" nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\start\command nfp.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\ = "exefile" nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\Content Type = "application/x-msdownload" nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\DefaultIcon\ = "%1" nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\open nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\DefaultIcon\ = "%1" nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\DefaultIcon nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\runas nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\start nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\open\command nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\start nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*" nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\ = "Application" nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\DefaultIcon nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" nfp.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\start\command nfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" nfp.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1956 e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe 1956 e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe 1956 e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe 1956 e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe 1956 e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe 1956 e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe 1956 e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe 1956 e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe 1956 e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe 2932 nfp.exe 2932 nfp.exe 2932 nfp.exe 2932 nfp.exe 2932 nfp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1964 explorer.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeShutdownPrivilege 1964 explorer.exe Token: SeShutdownPrivilege 1964 explorer.exe Token: SeShutdownPrivilege 1964 explorer.exe Token: SeShutdownPrivilege 1964 explorer.exe Token: SeShutdownPrivilege 1964 explorer.exe Token: SeShutdownPrivilege 1964 explorer.exe Token: SeShutdownPrivilege 1964 explorer.exe Token: SeShutdownPrivilege 1964 explorer.exe Token: SeShutdownPrivilege 1964 explorer.exe Token: SeShutdownPrivilege 1964 explorer.exe Token: SeShutdownPrivilege 1964 explorer.exe Token: SeShutdownPrivilege 1964 explorer.exe Token: SeShutdownPrivilege 1964 explorer.exe Token: SeShutdownPrivilege 1964 explorer.exe Token: SeShutdownPrivilege 1964 explorer.exe Token: SeShutdownPrivilege 1964 explorer.exe Token: SeShutdownPrivilege 1964 explorer.exe Token: SeShutdownPrivilege 1964 explorer.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 2932 nfp.exe 1964 explorer.exe 1964 explorer.exe 2932 nfp.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 2932 nfp.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2932 1956 e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe 28 PID 1956 wrote to memory of 2932 1956 e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe 28 PID 1956 wrote to memory of 2932 1956 e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe 28 PID 1956 wrote to memory of 2932 1956 e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe 28 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\nfp.exe"C:\Users\Admin\AppData\Local\nfp.exe" -gav C:\Users\Admin\AppData\Local\Temp\e2c5b227b63fdcb06b7ed7e6b1ef453d_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2932
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1964
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD5c09d12b2ab052ed3ae1d9b4074f5c256
SHA124b2c5188a1f902712ad3034f90ecd4f1c131b7e
SHA25648acea765828f08c93209177ffc54ff44367ec61819e8aa39178087be3d79dc0
SHA5127046fab6e9c39bc36b0989607aaf77f945bfbc2a1819f7a57e51fabc8f390f592ee0e9a8f239d5c97db7f190fdbaebcaf3aad48a70bbcdbe570d791d961f37f2