Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
17/04/2024, 02:55
Behavioral task
behavioral1
Sample
f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe
Resource
win7-20231129-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe
Resource
win10v2004-20240226-en
3 signatures
150 seconds
General
-
Target
f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe
-
Size
223KB
-
MD5
f4e216f8f569dc6cc379aea6bd085297
-
SHA1
f67c0792e42ff485ca00bd8a7970dfc9ce6c01f1
-
SHA256
1d24cac6272b95854281e8c24a6f88bd6c3073970e8cfdde802a6f626f1a5d4d
-
SHA512
62f352a651c1212ee40358fe420fbe94a9adbd473c549418a0aa1eb594dc554b75c2067ba0a5bb6307ecf77a6a7ed9b51befbf59946e4a8dd7772a8f7ef7cb58
-
SSDEEP
6144:ra/u5muWmD74jatDPQ9eeya0YEI3kzMWBZfQ8gnL:rMC74mVQ9eda0YEI3yMMZfQLL
Score
8/10
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mchInjDrv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\mc2CEC.tmp" f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe Token: SeSecurityPrivilege 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe Token: SeLoadDriverPrivilege 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe Token: SeSystemProfilePrivilege 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe Token: SeSystemtimePrivilege 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe Token: SeShutdownPrivilege 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe Token: SeDebugPrivilege 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe Token: SeUndockPrivilege 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe Token: SeManageVolumePrivilege 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe Token: 33 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe Token: 34 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe Token: 35 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 948 wrote to memory of 1248 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe 19 PID 948 wrote to memory of 1248 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe 19 PID 948 wrote to memory of 1344 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe 20 PID 948 wrote to memory of 1344 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe 20 PID 948 wrote to memory of 1380 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe 21 PID 948 wrote to memory of 1380 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe 21 PID 948 wrote to memory of 828 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe 23 PID 948 wrote to memory of 828 948 f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe 23
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1248
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1344
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f4e216f8f569dc6cc379aea6bd085297_JaffaCakes118.exe"2⤵
- Sets service image path in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:828