Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/04/2024, 11:33
Static task
static1
Behavioral task
behavioral1
Sample
e75d27a4dec7334e548a776a58137877_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e75d27a4dec7334e548a776a58137877_JaffaCakes118.exe
-
Size
318KB
-
MD5
e75d27a4dec7334e548a776a58137877
-
SHA1
85e46d71cd015e4714459d2fe73f6c9a066199f5
-
SHA256
5e9b31834d9951e950f884bea2a45bafb99c1761fbb8b7be4301467f55795d1a
-
SHA512
28669e18a2ea427fa90f11ec4ed5f024bd3a28a4602bfe091fc6155e3b2f170f9f7f245a0912aa6cca627c6bc9802d4b39a75043c57d6d5e4c4ac3896710755f
-
SSDEEP
6144:TKjZaimwIqlazWEIBk4ZAs3CaYo/TRg4w6kT1kYftg5d672:dZqIzW35RFn9g311kYfi6K
Malware Config
Extracted
latentbot
75as4d53a1sd.zapto.org
Signatures
-
Deletes itself 1 IoCs
pid Process 2636 explorer.exe -
Executes dropped EXE 3 IoCs
pid Process 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe -
Loads dropped DLL 6 IoCs
pid Process 1908 e75d27a4dec7334e548a776a58137877_JaffaCakes118.exe 1908 e75d27a4dec7334e548a776a58137877_JaffaCakes118.exe 2636 explorer.exe 2636 explorer.exe 2484 nvxdsinc.exe 2484 nvxdsinc.exe -
resource yara_rule behavioral1/memory/2548-30-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2548-26-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2548-25-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2548-31-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2548-32-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2548-41-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2484-45-0x0000000000E30000-0x0000000000E70000-memory.dmp upx behavioral1/memory/2548-60-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2548-61-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2548-59-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2548-49-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2548-47-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\nvxdsinc.exe" nvxdsinc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2636 set thread context of 2548 2636 explorer.exe 29 PID 2472 set thread context of 1744 2472 nwtray.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe 2484 nvxdsinc.exe 2472 nwtray.exe 2636 explorer.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 1908 e75d27a4dec7334e548a776a58137877_JaffaCakes118.exe Token: SeDebugPrivilege 2636 explorer.exe Token: SeDebugPrivilege 2484 nvxdsinc.exe Token: SeIncreaseQuotaPrivilege 2548 AppLaunch.exe Token: SeDebugPrivilege 2472 nwtray.exe Token: SeSecurityPrivilege 2548 AppLaunch.exe Token: SeTakeOwnershipPrivilege 2548 AppLaunch.exe Token: SeLoadDriverPrivilege 2548 AppLaunch.exe Token: SeSystemProfilePrivilege 2548 AppLaunch.exe Token: SeSystemtimePrivilege 2548 AppLaunch.exe Token: SeProfSingleProcessPrivilege 2548 AppLaunch.exe Token: SeIncBasePriorityPrivilege 2548 AppLaunch.exe Token: SeCreatePagefilePrivilege 2548 AppLaunch.exe Token: SeBackupPrivilege 2548 AppLaunch.exe Token: SeRestorePrivilege 2548 AppLaunch.exe Token: SeShutdownPrivilege 2548 AppLaunch.exe Token: SeDebugPrivilege 2548 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 2548 AppLaunch.exe Token: SeChangeNotifyPrivilege 2548 AppLaunch.exe Token: SeRemoteShutdownPrivilege 2548 AppLaunch.exe Token: SeUndockPrivilege 2548 AppLaunch.exe Token: SeManageVolumePrivilege 2548 AppLaunch.exe Token: SeImpersonatePrivilege 2548 AppLaunch.exe Token: SeCreateGlobalPrivilege 2548 AppLaunch.exe Token: 33 2548 AppLaunch.exe Token: 34 2548 AppLaunch.exe Token: 35 2548 AppLaunch.exe Token: SeIncreaseQuotaPrivilege 1744 AppLaunch.exe Token: SeSecurityPrivilege 1744 AppLaunch.exe Token: SeTakeOwnershipPrivilege 1744 AppLaunch.exe Token: SeLoadDriverPrivilege 1744 AppLaunch.exe Token: SeSystemProfilePrivilege 1744 AppLaunch.exe Token: SeSystemtimePrivilege 1744 AppLaunch.exe Token: SeProfSingleProcessPrivilege 1744 AppLaunch.exe Token: SeIncBasePriorityPrivilege 1744 AppLaunch.exe Token: SeCreatePagefilePrivilege 1744 AppLaunch.exe Token: SeBackupPrivilege 1744 AppLaunch.exe Token: SeRestorePrivilege 1744 AppLaunch.exe Token: SeShutdownPrivilege 1744 AppLaunch.exe Token: SeDebugPrivilege 1744 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 1744 AppLaunch.exe Token: SeChangeNotifyPrivilege 1744 AppLaunch.exe Token: SeRemoteShutdownPrivilege 1744 AppLaunch.exe Token: SeUndockPrivilege 1744 AppLaunch.exe Token: SeManageVolumePrivilege 1744 AppLaunch.exe Token: SeImpersonatePrivilege 1744 AppLaunch.exe Token: SeCreateGlobalPrivilege 1744 AppLaunch.exe Token: 33 1744 AppLaunch.exe Token: 34 1744 AppLaunch.exe Token: 35 1744 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2548 AppLaunch.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 1908 wrote to memory of 2636 1908 e75d27a4dec7334e548a776a58137877_JaffaCakes118.exe 28 PID 1908 wrote to memory of 2636 1908 e75d27a4dec7334e548a776a58137877_JaffaCakes118.exe 28 PID 1908 wrote to memory of 2636 1908 e75d27a4dec7334e548a776a58137877_JaffaCakes118.exe 28 PID 1908 wrote to memory of 2636 1908 e75d27a4dec7334e548a776a58137877_JaffaCakes118.exe 28 PID 2636 wrote to memory of 2548 2636 explorer.exe 29 PID 2636 wrote to memory of 2548 2636 explorer.exe 29 PID 2636 wrote to memory of 2548 2636 explorer.exe 29 PID 2636 wrote to memory of 2548 2636 explorer.exe 29 PID 2636 wrote to memory of 2548 2636 explorer.exe 29 PID 2636 wrote to memory of 2548 2636 explorer.exe 29 PID 2636 wrote to memory of 2548 2636 explorer.exe 29 PID 2636 wrote to memory of 2548 2636 explorer.exe 29 PID 2636 wrote to memory of 2548 2636 explorer.exe 29 PID 2636 wrote to memory of 2548 2636 explorer.exe 29 PID 2636 wrote to memory of 2548 2636 explorer.exe 29 PID 2636 wrote to memory of 2484 2636 explorer.exe 30 PID 2636 wrote to memory of 2484 2636 explorer.exe 30 PID 2636 wrote to memory of 2484 2636 explorer.exe 30 PID 2636 wrote to memory of 2484 2636 explorer.exe 30 PID 2484 wrote to memory of 2472 2484 nvxdsinc.exe 31 PID 2484 wrote to memory of 2472 2484 nvxdsinc.exe 31 PID 2484 wrote to memory of 2472 2484 nvxdsinc.exe 31 PID 2484 wrote to memory of 2472 2484 nvxdsinc.exe 31 PID 2472 wrote to memory of 1744 2472 nwtray.exe 32 PID 2472 wrote to memory of 1744 2472 nwtray.exe 32 PID 2472 wrote to memory of 1744 2472 nwtray.exe 32 PID 2472 wrote to memory of 1744 2472 nwtray.exe 32 PID 2472 wrote to memory of 1744 2472 nwtray.exe 32 PID 2472 wrote to memory of 1744 2472 nwtray.exe 32 PID 2472 wrote to memory of 1744 2472 nwtray.exe 32 PID 2472 wrote to memory of 1744 2472 nwtray.exe 32 PID 2472 wrote to memory of 1744 2472 nwtray.exe 32 PID 2472 wrote to memory of 1744 2472 nwtray.exe 32 PID 2472 wrote to memory of 1744 2472 nwtray.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe"C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe"C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84B
MD50451492ae6a77572a8cb1ea3d2c3f31b
SHA102628d7a95f0dac3ca89a4c2b8af0519f9495c6f
SHA25617002ccc3bd7423ad1ee64917d130feb784343ea6c5e765ed6dbfca3abd7951f
SHA5120f92a59890dab0cc7e9d851b786115fad359cfd1de9621e8abc3830ebd1123d03d66daca9ab5fc7afe7e438a260126121b56eea497e8727054069502a667ea2d
-
Filesize
318KB
MD5e75d27a4dec7334e548a776a58137877
SHA185e46d71cd015e4714459d2fe73f6c9a066199f5
SHA2565e9b31834d9951e950f884bea2a45bafb99c1761fbb8b7be4301467f55795d1a
SHA51228669e18a2ea427fa90f11ec4ed5f024bd3a28a4602bfe091fc6155e3b2f170f9f7f245a0912aa6cca627c6bc9802d4b39a75043c57d6d5e4c4ac3896710755f
-
Filesize
39KB
MD538abcaec6ee62213f90b1717d830a1bb
SHA1d8f5849d0d3f4ccc0dfb66a9a4a0442ac66a31b9
SHA2566fee9a2c70b2cc48b0812f7cb2e09497c9c90941976f430a8f8279ad3c787768
SHA51277eaabcbc6f7a3835b6220d72c4b1cae82d2125ea971907e33b15ceeede7e4da0741c6e63e988bd782ed6eb72ad3cbcba10ea83919eafd9b95d612c43a735274