Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 23:21
Static task
static1
Behavioral task
behavioral1
Sample
e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe
-
Size
23KB
-
MD5
e6195002fecd1cd970e80ab5b2318974
-
SHA1
c40a15e0f8b2e521f0ae481b3339d2893970a178
-
SHA256
bbe0a9199a171bdb993b8882ab6625a34304a2fa8889ff37b7e6b281d699cbe5
-
SHA512
445ca53a48fb6b04ca9f333a9aa9cdd311ee3e6b82a7c60ba168bd2e7525a0066a0dc04462064ebd339b6ba2db3ac3f7fde26cafe6f4484c5d4abafa412d742d
-
SSDEEP
384:TtkAsyopTxyeDSsKR8wFB0M0Ro551Fa+wmG9C41fKV5uakl5kNzIyeqgbueo:aAsJRDSsKRfB0M0Ro55fomGw6fKeaWk9
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2044 netsh.exe 2644 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Driver\ImagePath = "\\??\\C:\\Windows\\system32\\kernelw.sys" e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2360 kernelwind32.exe -
Loads dropped DLL 2 IoCs
pid Process 3040 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe 3040 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\system32\\kernelwind32.exe" e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\system32\\kernelwind32.exe" kernelwind32.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\kernelw.sys e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe File created C:\Windows\SysWOW64\kernelwind32.exe e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kernelwind32.exe e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe File created C:\Windows\SysWOW64\kernelwind32.exe kernelwind32.exe File created C:\Windows\SysWOW64\dllh8jkd1q8.exe kernelwind32.exe File opened for modification C:\Windows\SysWOW64\dllh8jkd1q8.exe kernelwind32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3040 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLoadDriverPrivilege 3040 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2360 kernelwind32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2044 3040 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe 28 PID 3040 wrote to memory of 2044 3040 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe 28 PID 3040 wrote to memory of 2044 3040 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe 28 PID 3040 wrote to memory of 2044 3040 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe 28 PID 3040 wrote to memory of 2360 3040 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe 30 PID 3040 wrote to memory of 2360 3040 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe 30 PID 3040 wrote to memory of 2360 3040 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe 30 PID 3040 wrote to memory of 2360 3040 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe 30 PID 2360 wrote to memory of 2644 2360 kernelwind32.exe 31 PID 2360 wrote to memory of 2644 2360 kernelwind32.exe 31 PID 2360 wrote to memory of 2644 2360 kernelwind32.exe 31 PID 2360 wrote to memory of 2644 2360 kernelwind32.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe"1⤵
- Sets service image path in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set allowedprogram 'C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe' enable2⤵
- Modifies Windows Firewall
PID:2044
-
-
C:\Windows\SysWOW64\kernelwind32.exeC:\Windows\system32\kernelwind32.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set allowedprogram 'C:\Windows\SysWOW64\kernelwind32.exe' enable3⤵
- Modifies Windows Firewall
PID:2644
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
362B
MD596dacbc0d6125a5baf02d286ea2d8277
SHA1726416cce8f3b661070f9b3f30ea212e4621503e
SHA256393921ae383f661a60cdb247d8600242daf919f0dfb4b1061f0ab5c7a922f443
SHA5128cb5e28296ad8bcc47de26780b60fc51f81006dd04775aa0332ccecff64f7434b2ef33e17ad81ca96b16c44118bbfa19fb4325aca4eeeaa93f1d767050d2c4e3
-
Filesize
23KB
MD5e6195002fecd1cd970e80ab5b2318974
SHA1c40a15e0f8b2e521f0ae481b3339d2893970a178
SHA256bbe0a9199a171bdb993b8882ab6625a34304a2fa8889ff37b7e6b281d699cbe5
SHA512445ca53a48fb6b04ca9f333a9aa9cdd311ee3e6b82a7c60ba168bd2e7525a0066a0dc04462064ebd339b6ba2db3ac3f7fde26cafe6f4484c5d4abafa412d742d