Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 14:54
Static task
static1
Behavioral task
behavioral1
Sample
e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe
-
Size
56KB
-
MD5
e2c9c053a8ecbbee1ee3ab3a38223ff1
-
SHA1
de140d66f709865a7c08beff50128e148258851e
-
SHA256
0854402a5f5c134b28a963677bf101f4783d0832e35aa4c98a005a54c623b981
-
SHA512
40e3c6c462c595524c492a8fcbb51e1b5e8f1e0b0212735c8e6672f3fab7874d8e641358d14ad2f3f519164ce9006885d9da38e194ef0f0e88b6ef2d52899bb3
-
SSDEEP
384:X5992T/rFfJOSsgLRPaY05OipIrdUWIU2Vi/0HrAeAlgIER/cDyMopPfQ3rH6kG3:X59yrj4g47IvxMIEQazE5AhXN
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe, C:\\System Volume Information\\_restore{5BF8436B-A928-4855-4F90-0F42F2E55AA3}\\RP0\\A0000001.exe" e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe, C:\\System Volume Information\\_restore{5BF8436B-A928-4855-4F90-0F42F2E55AA3}\\RP0\\A0000001.exe" bootconfig.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bootconfig.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" bootconfig.exe -
Executes dropped EXE 2 IoCs
pid Process 1784 bootconfig.exe 2192 bootconfig.exe -
Loads dropped DLL 4 IoCs
pid Process 2772 e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe 2772 e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe 1784 bootconfig.exe 1784 bootconfig.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confg = "C:\\Windows\\SYSTEM32\\bootconfig.exe" bootconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\(Default) = "C:\\System Volume Information\\(Default).vbs" bootconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Multimedia = "C:\\Windows\\windebug.exe" e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confg = "C:\\Windows\\SYSTEM32\\bootconfig.exe" e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\(Default) = "C:\\System Volume Information\\(Default).vbs" e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Multimedia = "C:\\Windows\\windebug.exe" bootconfig.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: bootconfig.exe File opened (read-only) \??\s: bootconfig.exe File opened (read-only) \??\v: bootconfig.exe File opened (read-only) \??\y: bootconfig.exe File opened (read-only) \??\i: bootconfig.exe File opened (read-only) \??\g: bootconfig.exe File opened (read-only) \??\h: bootconfig.exe File opened (read-only) \??\n: bootconfig.exe File opened (read-only) \??\o: bootconfig.exe File opened (read-only) \??\p: bootconfig.exe File opened (read-only) \??\r: bootconfig.exe File opened (read-only) \??\e: bootconfig.exe File opened (read-only) \??\m: bootconfig.exe File opened (read-only) \??\x: bootconfig.exe File opened (read-only) \??\z: bootconfig.exe File opened (read-only) \??\j: bootconfig.exe File opened (read-only) \??\q: bootconfig.exe File opened (read-only) \??\t: bootconfig.exe File opened (read-only) \??\u: bootconfig.exe File opened (read-only) \??\w: bootconfig.exe File opened (read-only) \??\l: bootconfig.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\bootconfig.exe e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bootconfig.exe bootconfig.exe File opened for modification C:\Windows\SysWOW64\bootconfig.exe e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\windebug.exe e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe File created C:\Windows\windebug.exe e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe File opened for modification C:\Windows\windebug.exe bootconfig.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2772 e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe 1784 bootconfig.exe 2192 bootconfig.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2772 wrote to memory of 1784 2772 e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe 28 PID 2772 wrote to memory of 1784 2772 e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe 28 PID 2772 wrote to memory of 1784 2772 e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe 28 PID 2772 wrote to memory of 1784 2772 e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe 28 PID 1784 wrote to memory of 2192 1784 bootconfig.exe 29 PID 1784 wrote to memory of 2192 1784 bootconfig.exe 29 PID 1784 wrote to memory of 2192 1784 bootconfig.exe 29 PID 1784 wrote to memory of 2192 1784 bootconfig.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\bootconfig.exeC:\Windows\SYSTEM32\bootconfig.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\bootconfig.exeC:\Windows\SYSTEM32\bootconfig.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2192
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD5e2c9c053a8ecbbee1ee3ab3a38223ff1
SHA1de140d66f709865a7c08beff50128e148258851e
SHA2560854402a5f5c134b28a963677bf101f4783d0832e35aa4c98a005a54c623b981
SHA51240e3c6c462c595524c492a8fcbb51e1b5e8f1e0b0212735c8e6672f3fab7874d8e641358d14ad2f3f519164ce9006885d9da38e194ef0f0e88b6ef2d52899bb3