Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/04/2024, 12:21
Static task
static1
Behavioral task
behavioral1
Sample
ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe
-
Size
276KB
-
MD5
ed69746aa446d81ec40535f048806a4c
-
SHA1
083afb28943d6e75245a9a5a8d598fedb572d651
-
SHA256
99a0be7e62206f74468ce3b6a6c6e307133a8dc5f51da3d43d7b017d51db0d60
-
SHA512
8bfe12e54eb1ce2aa1d7b0dabb4890fb0d141bc43d5fef0f7f6575e5fc72a9703a828cad6fea8af9c428352f7c1352d78f11eb41d420126d13df75a239775599
-
SSDEEP
6144:mGj01tuAV3qkskU8ywoyz6Bk1j2wdPVfXNpkJWv/bEf2HYfuj8:tcvMkUs/uk0mP/k8vT6wY9
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe -
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 1140 A4F6.tmp -
Loads dropped DLL 2 IoCs
pid Process 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2876-2-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2876-14-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2308-16-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2876-114-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/556-116-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2308-283-0x0000000000270000-0x0000000000370000-memory.dmp upx behavioral1/memory/2876-301-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2876-306-0x0000000000400000-0x0000000000469000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\83E.exe = "C:\\Program Files (x86)\\LP\\DAF3\\83E.exe" ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\DAF3\83E.exe ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\DAF3\83E.exe ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\DAF3\A4F6.tmp ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3012 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 3060 msiexec.exe Token: SeTakeOwnershipPrivilege 3060 msiexec.exe Token: SeSecurityPrivilege 3060 msiexec.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2308 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 30 PID 2876 wrote to memory of 2308 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 30 PID 2876 wrote to memory of 2308 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 30 PID 2876 wrote to memory of 2308 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 30 PID 2876 wrote to memory of 556 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 32 PID 2876 wrote to memory of 556 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 32 PID 2876 wrote to memory of 556 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 32 PID 2876 wrote to memory of 556 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 32 PID 2876 wrote to memory of 1140 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 35 PID 2876 wrote to memory of 1140 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 35 PID 2876 wrote to memory of 1140 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 35 PID 2876 wrote to memory of 1140 2876 ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe 35 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\3B188\0BCDA.exe%C:\Users\Admin\AppData\Roaming\3B1882⤵PID:2308
-
-
C:\Users\Admin\AppData\Local\Temp\ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe startC:\Program Files (x86)\88B96\lvvm.exe%C:\Program Files (x86)\88B962⤵PID:556
-
-
C:\Program Files (x86)\LP\DAF3\A4F6.tmp"C:\Program Files (x86)\LP\DAF3\A4F6.tmp"2⤵
- Executes dropped EXE
PID:1140
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3012
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD59bb9edcbe28f4ac3e98e419e7aa15546
SHA1b8febcb8de20a381940e825d306930275ee5175c
SHA256ba7297a40548683cb5c8abd5f19957e5e38b3e4e160ed553414a30182a85d7d9
SHA5124054468f66658b55e06773e83cee9939af083d7695076e5bda1ada3f1618cb355010b1e8ef781e067b5603cde11a72d8ae166efcd40d9ef7b07a6dad9b64a989
-
Filesize
600B
MD5896cab25da8beb8b85b17b95cbb52f6d
SHA13133d41d3bde78e17178c4f6c8c91fba42abf6de
SHA2561eb031f293333aeee4dcef8f5043d73b7626eafa155e22e03178eb61714eafea
SHA51255d31f0db2ff277f15edc5378c0a71e78f35ffafb772f0c62d45e3c4898e5c1128ffe5e0650521ad9897d9218ce1f0aa6cdda2e6ee362618154c8feacb43aa13
-
Filesize
1KB
MD5b3df6d55600267c0afbfa963dc7806bc
SHA1326f53aecf72382df6c69b2003d7a81ad680cb0a
SHA2568c9d16ef9be0d681e9ee9c015fbef800ad5216a8d08647e1992847e64874bf7f
SHA512c8a0ec83e52802057c2d209d5b8a1a094168f3fc905298ea16bf977dcaefc26c30242e5a7057f65ffffe9e15c2aa89187d50ac4ed403c6008eb0a74d557b2cc7
-
Filesize
97KB
MD5ba97344303629a238cfca2f532434690
SHA15b33b602f875e3eb825c2832a2e7d3e4901c8771
SHA256796a4920cfdc6e3d28d115ff6bb442a0e3be3b9ed4ee67d75ee35b4ffce537a9
SHA512e78ffa32be0be8d0ae345ba008c94bb9cc474660e64b7134df67500bfdeb95ba747e637918cf1d190bd663efa6de331b3955213fba99d875687df97d4b0d9c89