Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
196s -
max time network
99s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 00:04
Static task
static1
Behavioral task
behavioral1
Sample
e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe
Resource
win10v2004-20240319-en
General
-
Target
e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe
-
Size
60KB
-
MD5
e39b300faf337696bac224f77cbb4181
-
SHA1
4c816524f29b0fbcbefdc2c0038b4dfbca5e4fd1
-
SHA256
d5a34c9fd0b7f8fc33afbf0dc4f666454f31533d3a95a6e69de8eb2524003314
-
SHA512
b10f414a735c25efcf56063ff20ce5e4740c9672b22dedbd678649633485fca764844ab5f9ba9b7a95aeecd1080851ef8cdefb1e3ab2fa8d551a62ebcfc4671f
-
SSDEEP
768:FT6N6V3sLiS2tCd50MSCyfYKwtSRcltFO56VL6yjxYRlUYyiKoqQzstdwRt:FHNsLi1Cr0THCSirFO56Ln9YzUsTzRt
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Cisvc = "C:\\Windows\\cisvc.exe /waitservice" e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MqtgSVC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mqtgsvc.exe /waitservice" e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2440 esentutl.exe -
Loads dropped DLL 2 IoCs
pid Process 2412 e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe 2412 e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\cisvc.exe e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe File opened for modification C:\Windows\cisvc.exe e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe -
Modifies data under HKEY_USERS 10 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Cisvc = "C:\\Users\\Admin\\LOCALS~1\\APPLIC~1\\cisvc.exe /waitservice" e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2440 2412 e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe 29 PID 2412 wrote to memory of 2440 2412 e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe 29 PID 2412 wrote to memory of 2440 2412 e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe 29 PID 2412 wrote to memory of 2440 2412 e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e39b300faf337696bac224f77cbb4181_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Roaming\esentutl.exeC:\Users\Admin\AppData\Roaming\esentutl.exe /waitservice2⤵
- Executes dropped EXE
PID:2440
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5e39b300faf337696bac224f77cbb4181
SHA14c816524f29b0fbcbefdc2c0038b4dfbca5e4fd1
SHA256d5a34c9fd0b7f8fc33afbf0dc4f666454f31533d3a95a6e69de8eb2524003314
SHA512b10f414a735c25efcf56063ff20ce5e4740c9672b22dedbd678649633485fca764844ab5f9ba9b7a95aeecd1080851ef8cdefb1e3ab2fa8d551a62ebcfc4671f