Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/04/2024, 15:42
Static task
static1
Behavioral task
behavioral1
Sample
edc611f836805766cb477277e6503215_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
edc611f836805766cb477277e6503215_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
edc611f836805766cb477277e6503215_JaffaCakes118.exe
-
Size
4.3MB
-
MD5
edc611f836805766cb477277e6503215
-
SHA1
cdb18269fc7201b8b983578249878e4711730452
-
SHA256
ff6a191388c63a0eba933c1d247db4b07f905728c0204d2f58bdff965c4377f1
-
SHA512
bbcf04d1ee280d0501d80ab29ddb83c59e8d8f929246beed05495ee72cdcd0d9b2febc5d03188faeb96fa84fec958e9a86ec3a8146d9dbe33bda76697806f3aa
-
SSDEEP
49152:40rWePspAsProkyNs+hYwzdnAyo8DGLr30bo6hCDB2xECTZCtZEDUJ5KMJqb:ZXmNzokyFhY8May30cHDB2xbZcZ5XK
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions Crazy Captain Malcom Deatherage.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools Crazy Captain Malcom Deatherage.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Crazy Captain Malcom Deatherage.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Crazy Captain Malcom Deatherage.exe -
Deletes itself 1 IoCs
pid Process 2916 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2532 Crazy Captain Malcom Deatherage.exe -
Loads dropped DLL 6 IoCs
pid Process 2120 edc611f836805766cb477277e6503215_JaffaCakes118.exe 2728 WerFault.exe 2728 WerFault.exe 2728 WerFault.exe 2728 WerFault.exe 2728 WerFault.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Crazy Captain Malcom Deatherage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Crazy Captain Malcom Deatherage.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2728 2532 WerFault.exe 27 -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2204 PING.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2120 edc611f836805766cb477277e6503215_JaffaCakes118.exe 2120 edc611f836805766cb477277e6503215_JaffaCakes118.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe 2532 Crazy Captain Malcom Deatherage.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2120 edc611f836805766cb477277e6503215_JaffaCakes118.exe Token: SeDebugPrivilege 2532 Crazy Captain Malcom Deatherage.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2532 2120 edc611f836805766cb477277e6503215_JaffaCakes118.exe 27 PID 2120 wrote to memory of 2532 2120 edc611f836805766cb477277e6503215_JaffaCakes118.exe 27 PID 2120 wrote to memory of 2532 2120 edc611f836805766cb477277e6503215_JaffaCakes118.exe 27 PID 2120 wrote to memory of 2532 2120 edc611f836805766cb477277e6503215_JaffaCakes118.exe 27 PID 2120 wrote to memory of 2916 2120 edc611f836805766cb477277e6503215_JaffaCakes118.exe 28 PID 2120 wrote to memory of 2916 2120 edc611f836805766cb477277e6503215_JaffaCakes118.exe 28 PID 2120 wrote to memory of 2916 2120 edc611f836805766cb477277e6503215_JaffaCakes118.exe 28 PID 2120 wrote to memory of 2916 2120 edc611f836805766cb477277e6503215_JaffaCakes118.exe 28 PID 2916 wrote to memory of 2204 2916 cmd.exe 30 PID 2916 wrote to memory of 2204 2916 cmd.exe 30 PID 2916 wrote to memory of 2204 2916 cmd.exe 30 PID 2916 wrote to memory of 2204 2916 cmd.exe 30 PID 2532 wrote to memory of 2728 2532 Crazy Captain Malcom Deatherage.exe 34 PID 2532 wrote to memory of 2728 2532 Crazy Captain Malcom Deatherage.exe 34 PID 2532 wrote to memory of 2728 2532 Crazy Captain Malcom Deatherage.exe 34 PID 2532 wrote to memory of 2728 2532 Crazy Captain Malcom Deatherage.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\edc611f836805766cb477277e6503215_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\edc611f836805766cb477277e6503215_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\Crazy Captain Malcom Deatherage.exe"C:\Users\Admin\AppData\Local\Temp\Crazy Captain Malcom Deatherage.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 8483⤵
- Loads dropped DLL
- Program crash
PID:2728
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\edc611f836805766cb477277e6503215_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:2204
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD5cfddb85e01988231beb3db5d60bb7511
SHA1dc36c0461c725008c6c8341bfaf8c4ea63d94df3
SHA256b3f783c4aceb2609ced9dd79226d7813b5be23a9b2cf4fc79b550dbfc52f9975
SHA5125e33cc51217e5948d2969a7e1b11f3672d26a3b47c6867c843fdb4de930e6637d00ce05825947defc42242f7a2ae64e904a55472621082085ab4e3261e4525df
-
Filesize
4.3MB
MD562786fd6de99ee4fe67f5caec99ec22a
SHA1b4b3787fff05de3394285fd31189ec6dbc4e3a98
SHA2560b5d0ac0d230f54a16ef18ef5c90108d8cbca04e667246568cbcc7b9f761d74d
SHA512a37ec181b8a90c940a860c4e1a64c07872260b1c2e88ed4be40f7c02a3ec86bb8785cc5031d583b7737dccc52f08e0d64d1bdfe76948c3fb93858721e255c620