Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 18:20
Static task
static1
Behavioral task
behavioral1
Sample
e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe
-
Size
298KB
-
MD5
e590aaff79ca23eee0a6b4876bd8d75a
-
SHA1
f669c4f2ef5118ef8f448c1167e7077fa177cab8
-
SHA256
55b224df6ca9593755fd06307b3208bfd8ddee2dcfc66ebab02f172a90cf155d
-
SHA512
f6db32186638e9de41f927f9e4b31c41958646780538ab4dbb96a5a2da09213aa94fba5ac45605c2ad4620232e6409344e8ffb9a784d144e667c35206a9301f5
-
SSDEEP
6144:OawKHWSIg118HWULKjC7Cif1mO45xZVN0cp0cyIB:OejIaC7Cy45xZko0cyIB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2500 bamed.exe -
Loads dropped DLL 2 IoCs
pid Process 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7770FDC8-846D-AD4E-26F1-2C003EAC0F1D} = "C:\\Users\\Admin\\AppData\\Roaming\\Yrib\\bamed.exe" bamed.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 996 set thread context of 2932 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe 29 -
Program crash 1 IoCs
pid pid_target Process procid_target 1568 2932 WerFault.exe 29 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Privacy e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe 2500 bamed.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSecurityPrivilege 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe Token: SeSecurityPrivilege 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe Token: SeSecurityPrivilege 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe 2500 bamed.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 996 wrote to memory of 2500 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe 28 PID 996 wrote to memory of 2500 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe 28 PID 996 wrote to memory of 2500 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe 28 PID 996 wrote to memory of 2500 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe 28 PID 2500 wrote to memory of 1080 2500 bamed.exe 18 PID 2500 wrote to memory of 1080 2500 bamed.exe 18 PID 2500 wrote to memory of 1080 2500 bamed.exe 18 PID 2500 wrote to memory of 1080 2500 bamed.exe 18 PID 2500 wrote to memory of 1080 2500 bamed.exe 18 PID 2500 wrote to memory of 1180 2500 bamed.exe 20 PID 2500 wrote to memory of 1180 2500 bamed.exe 20 PID 2500 wrote to memory of 1180 2500 bamed.exe 20 PID 2500 wrote to memory of 1180 2500 bamed.exe 20 PID 2500 wrote to memory of 1180 2500 bamed.exe 20 PID 2500 wrote to memory of 1212 2500 bamed.exe 21 PID 2500 wrote to memory of 1212 2500 bamed.exe 21 PID 2500 wrote to memory of 1212 2500 bamed.exe 21 PID 2500 wrote to memory of 1212 2500 bamed.exe 21 PID 2500 wrote to memory of 1212 2500 bamed.exe 21 PID 2500 wrote to memory of 1732 2500 bamed.exe 23 PID 2500 wrote to memory of 1732 2500 bamed.exe 23 PID 2500 wrote to memory of 1732 2500 bamed.exe 23 PID 2500 wrote to memory of 1732 2500 bamed.exe 23 PID 2500 wrote to memory of 1732 2500 bamed.exe 23 PID 2500 wrote to memory of 996 2500 bamed.exe 27 PID 2500 wrote to memory of 996 2500 bamed.exe 27 PID 2500 wrote to memory of 996 2500 bamed.exe 27 PID 2500 wrote to memory of 996 2500 bamed.exe 27 PID 2500 wrote to memory of 996 2500 bamed.exe 27 PID 996 wrote to memory of 2932 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe 29 PID 996 wrote to memory of 2932 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe 29 PID 996 wrote to memory of 2932 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe 29 PID 996 wrote to memory of 2932 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe 29 PID 996 wrote to memory of 2932 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe 29 PID 996 wrote to memory of 2932 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe 29 PID 996 wrote to memory of 2932 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe 29 PID 996 wrote to memory of 2932 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe 29 PID 996 wrote to memory of 2932 996 e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe 29 PID 2932 wrote to memory of 1568 2932 cmd.exe 31 PID 2932 wrote to memory of 1568 2932 cmd.exe 31 PID 2932 wrote to memory of 1568 2932 cmd.exe 31 PID 2932 wrote to memory of 1568 2932 cmd.exe 31 PID 2500 wrote to memory of 984 2500 bamed.exe 30 PID 2500 wrote to memory of 984 2500 bamed.exe 30 PID 2500 wrote to memory of 984 2500 bamed.exe 30 PID 2500 wrote to memory of 984 2500 bamed.exe 30 PID 2500 wrote to memory of 984 2500 bamed.exe 30 PID 2500 wrote to memory of 1568 2500 bamed.exe 31 PID 2500 wrote to memory of 1568 2500 bamed.exe 31 PID 2500 wrote to memory of 1568 2500 bamed.exe 31 PID 2500 wrote to memory of 1568 2500 bamed.exe 31 PID 2500 wrote to memory of 1568 2500 bamed.exe 31
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1080
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1180
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Users\Admin\AppData\Roaming\Yrib\bamed.exe"C:\Users\Admin\AppData\Roaming\Yrib\bamed.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2500
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpae6e0ada.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 1124⤵
- Program crash
PID:1568
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1732
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1504921251-16068321974138200161081262029-5459315101976628977-330411607-1834900375"1⤵PID:984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380B
MD56eec68a30d02befefeea69ec678db7f7
SHA1c3f0507747f008d80bd65c7f61678b6d322e3941
SHA256d7be2673a25b66034f6bc705517928833614009481402ae484046299e2344e88
SHA512d63564c2887b1aa4aa97bf053072f49c09637fa3bb450bed61eb208eb9169a14287161f268a83938f5f7dbb2959f09172c8847821ef1045abae949c64c8a0e05
-
Filesize
298KB
MD54060467fa300967e2bf5cd96c411a92a
SHA176bd3f2d690eaa845d19439ed067c462ef5031fa
SHA256d8419a71ee470784358086a5353af48c79dfb6300fb5a3fd444d96d3f8875b6d
SHA5120f33a6ae0517f44fe1b86c4df05f6eddfcccd30581d4122e112dc914c5735d8ef2e3ed65766e5614f4393cf1451a92fcc19841f9c2601ec6f298616832143b1e