Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 18:25
Static task
static1
Behavioral task
behavioral1
Sample
e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe
-
Size
43KB
-
MD5
e592d49574997f539f7c2a625cb5f8f4
-
SHA1
3aca853c85b048988f5a6f8c8bf742b42c751e0a
-
SHA256
2795fe0cd337d04014c0174166a3528a955439fe3fbd8d054637f8e6e73fb2ff
-
SHA512
740f9445b7816191a73a996d24e047969996adf21a0050bd3d2d52fd9299b5ce992e282b407e71eb17671d8cf7063856313b2d040139790ec10232eb3ecac4fb
-
SSDEEP
768:j6eLfhoEXniM3Nu3+7AzdESFu/qa0G9pSCA5tyaiCcLiIWC:jlzD9Q/z5Fu/qXASVsPRW
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2480 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 1620 e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winrir32.rom,nsORun" e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\winrir32.rom e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\winrir32.rom e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{35EC7E41-F50C-11EE-8B8C-DE62917EBCA6} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418676197" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2788 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2788 iexplore.exe 2788 iexplore.exe 2664 IEXPLORE.EXE 2664 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1620 wrote to memory of 2220 1620 e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe 28 PID 1620 wrote to memory of 2220 1620 e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe 28 PID 1620 wrote to memory of 2220 1620 e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe 28 PID 1620 wrote to memory of 2220 1620 e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe 28 PID 2220 wrote to memory of 2788 2220 cmd.exe 30 PID 2220 wrote to memory of 2788 2220 cmd.exe 30 PID 2220 wrote to memory of 2788 2220 cmd.exe 30 PID 2220 wrote to memory of 2788 2220 cmd.exe 30 PID 2788 wrote to memory of 2664 2788 iexplore.exe 31 PID 2788 wrote to memory of 2664 2788 iexplore.exe 31 PID 2788 wrote to memory of 2664 2788 iexplore.exe 31 PID 2788 wrote to memory of 2664 2788 iexplore.exe 31 PID 1620 wrote to memory of 2788 1620 e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe 30 PID 1620 wrote to memory of 2788 1620 e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe 30 PID 1620 wrote to memory of 2788 1620 e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe 30 PID 1620 wrote to memory of 2788 1620 e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe 30 PID 1620 wrote to memory of 2472 1620 e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe 32 PID 1620 wrote to memory of 2472 1620 e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe 32 PID 1620 wrote to memory of 2472 1620 e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe 32 PID 1620 wrote to memory of 2472 1620 e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe 32 PID 1620 wrote to memory of 2480 1620 e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe 34 PID 1620 wrote to memory of 2480 1620 e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe 34 PID 1620 wrote to memory of 2480 1620 e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe 34 PID 1620 wrote to memory of 2480 1620 e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\cmd.execmd /c start iexplore -embedding2⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -embedding3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2664
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\twe401C.bat"2⤵PID:2472
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.bat"2⤵
- Deletes itself
PID:2480
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD534b2e5de0846d1b172cb0be19a103be8
SHA13c7a2e415e5c4325b1239d31f4cef442b05ab7ff
SHA256d2d805d31033501b5213f2b2404edb619fb16d229076796dfac34958324fb602
SHA5122da28aad3cf0f6a2cc4b1225775e52630abef9efa3bf6cedcb81104bb751f030893ddb919cf83ae802cc7977173a6ff88c2a7e8e8dcd3355785d884104c76506
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD537257f48192594e986ef6de1fc8c4a6a
SHA1ac8e9ec71e6bc389718706d3441855658b73b0bd
SHA256fde427828a7a6fd91b373d83596bd7c86862552dd9f6dafccf4dcacbfe1f6856
SHA5125c8e61ea700bc05f0b3cdf372d7869006d8ef73923228f2690ab198c4baf48bdb784b2230663b62bc2ae749dafe98180522b5e2bf5d1c75a2273bf4ea20e2f61
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5df4e29ee5befb52d67b74641a964f169
SHA100ea74f87efce28d5672f54f183e74a2d19a5e13
SHA256a03f4381f7b7c3d93a63db703404306c2922f9f15cc2a3af7d4f9ede40871959
SHA51221d86edeba8406dd1dbd2630bb1cd38242e581e02edbf1b510376ee0203fcca7908065f10796d468db1b852371ca070754e6d11116d361703cbd4d8ff03b6d2e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51aee54a05d7fc83e87cc7a2076563f89
SHA186b95df78c1ade73ad5a9c750938435cd264bb28
SHA256ce9f7bf0443f84dd25dc24267aef8c23974051a4fb067eb572583d85ba15ef2f
SHA512e10b9e970caa8c5b6eb37ab7b208efe121f509fa5382ae8056a564a0a91d0071131b27d1dca49b314ef768b8a44c6bcbbfd945ca254ac860616f093db8074f76
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c71668cccb4e12d72bfbefb56ae58137
SHA14f8ab36de1c468d92d1b29a4107531d289c20632
SHA256bf4659206e5aeb7ef986a843883f7790b966a1c16457c8758ec1bfcb80258bed
SHA512cb1b7adb339a028a690008e7d95bdbbbf06df47eeae5c2a14bc824888e8fda67006fcefaa183d816a327ed375b48a640e664097fa063ea44a9735cb2a99b8d8e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52f3f4d9a7bf39aaaddfe4703ffa72db5
SHA1030cee8c1566c6c58aa09778dc16543320a25698
SHA2568b7024afc35efbed11c040aa27f6869ae0907b1d9151ec648fe739c0b0dae229
SHA5125cec63bd6b3ac1fa386b36f22c2cc192314fa5b6e8299ac466a6ca7145ed738b84e7be4b2bfd7411110ba36c78a17537d8b9aef06f4e4e87440048dee35d0ac1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5eaddb06e0e04354aae35cb04f76decdc
SHA1a2be337a5abcebffc949443b33720e36275d4c55
SHA2565ef8c2a607a63702ded7400c4ca10280eee6f3ac153a524552f679125c6872d7
SHA512daa0675e7d1b80754a4bb59d1286644610dc158385d3c9e3615a2de4bcf584f4b7e51e2528090d303d59178531cc42e4ec1336d69b4f7f78bbb90081aade7510
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ad0610f7e74ebcee06e1dbf6b9f683a0
SHA1b404560194e4c91b2c08b5354b54e655c0f4b766
SHA256ffd8d1cf622fa023747d0d92ab3d706a61ff582f6add325436e93b133767e0b9
SHA5126c290be961427e05ea7a45e76c0ebd8e5c833f36a57f0c27a57fb5f7ab793c627c1414bc7a1d909e7c2a88d079a43e1ea24938ad5b1a46eb8e619904310e6791
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54017bde972a8b7771cc423e4ef2a5ad9
SHA102bfa194d6dfbba49a9b873e53c42dc5d0bc4cea
SHA256b3b6c5dcaf5d1b7ccb6ac44e8ad7254200a5079d09ddcb7023ad021d0eceabde
SHA5120b92a13dd5581dd5b77e25740a30b6607a7dae2e2f5c0ac603f78de633791a1d660b1844dfa9e845a81b26ffdae42091769491cca8da1a30fe66f46a51e11d14
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5303dc73d0355707a64f0a890514acb6c
SHA18037e61de26f321412333df323376ba44c2a2ddd
SHA2563c2ebc797df5f950331024a05d2f677585ac51da7495465e628125845a76c3d5
SHA51281d43649bffa94d28d488dfef59e0a818d0fda144b7d1777e8784a2014fd479f1f1025981389bb8905408c754e0c54b40dec1c3994f702100a13386578281f9d
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
305B
MD522b4da4bb3ec91eefaec419350d18b7f
SHA1d777414397a18f00d875d5556314d56ca305aeb2
SHA2560d6c4cd95c947a0e6ab7107b30844498df39e739fcfc082782446e9aabd532e0
SHA512428e16ecb74182282022c41e1c3169eafd75a74d84d82eff1357442625301e4fb74b0a6fc618696aba1e4a294f8be7ca7b58b3d12725c9614ab6e9df9e7be83a
-
Filesize
188B
MD51621b3bee84869c4e0fddf9d9fcb27df
SHA16e13145d000519e3fbe0d92c252afc337fd5b61e
SHA25629eb44b186621ade454838953add0e6c4ff5956095d0b6b973a7ad59c3bfb13b
SHA5122ee07ae6460da7233c24cc757b9618b4718a5d0145558cec8b9cd0744d8eb8e769a0904ca7be69992dcc5c5cfb30957f4aeabeea5183a06ad3825991287d53ec
-
Filesize
32KB
MD54173c8c06f92cfef803809d8688361a7
SHA1a31fbe9f55bce6b8f1ce640fc97572b434ef42f5
SHA2560852005c9d2ed4c0619dee7ac05613e9a5e3b5e6b236db239e11e80ce04232fa
SHA512f811946953d58b87e84bbb08c2a53cc33935795c4ae0b24ddbd97764c4e2dd3704eaf75a61cdb03bd7c22497da8b7d1c6f5aefd68add93bae0058a7dacbdb125