Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 00:52
Static task
static1
Behavioral task
behavioral1
Sample
e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe
Resource
win10v2004-20231215-en
General
-
Target
e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe
-
Size
355KB
-
MD5
e8d525d0a2bf8e47436238b52884d8b6
-
SHA1
db66207de2e31ba6e5fd7f1ffbc8f2b8ba8d3873
-
SHA256
c49d1a79cc30af3de957e4e5f6ae249e074dd85d3200868e36f14d97144cebb7
-
SHA512
cdaca2fc83af3ed9710f8d37397258d60c135d4e2a526a1565d2d06c65473f4c7091d5c6476339eef3137995fda6244f8499f8edf772548f1171e8dc8d81d659
-
SSDEEP
6144:L3EmWPDNND9yRPzLq+YXFqaZiMLic9kzVd7EAC4TSs9EiS:omWhND9yJz+b1FcMLmp2ATTSsdS
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2156 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 2352 e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe 2352 e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ad6050b = "Ì%±ÿ€TÌ{îú\x04uQC¿Â»I*‚ñvöìÜ?SÜ}\f~E›a>" e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ad6050b = "Ì%±ÿ€TÌ{îú\x04uQC¿Â»I*‚ñvöìÜ?SÜ}\f~E›a>" svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe File opened for modification C:\Windows\apppatch\svchost.exe e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 2352 e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe 2352 e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe 2352 e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe 2352 e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2352 e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2156 2352 e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe 28 PID 2352 wrote to memory of 2156 2352 e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe 28 PID 2352 wrote to memory of 2156 2352 e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe 28 PID 2352 wrote to memory of 2156 2352 e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
PID:2156
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD5c3821280523e004b9182ef661f264fb3
SHA1dd0b45e5329b424e9b0c8249dc1e6c46d7fd4ae0
SHA25602554c424327ef391a722b4e15121583382358ab9086c047e657a89298ad1d70
SHA512c6f4432eb52e9ba2ba73b1ec25cadc5e3e584df64aea8b69c248053dd16756a8233ebeeb4521918d94babfe6ce71c6ed7b853d76d1d5076b12e937cf7aff1a31
-
Filesize
355KB
MD56c00c717e767edad69fdf6b59b50e53c
SHA13a1980dfd3194748dbbda63f5ab3dab703744e48
SHA2569153b3063de2d507235cf3616e686a8b607df3b36b8e5f846e3a0982a5159a8e
SHA512742c31a941639f304b09c4f1419bd834d343c251515ec1eac7f9381dce62eaaee07d67c9e6061e32cdf088f9015cc45b01ba36f2c5dba7f13a574afabfbbf241