Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
17/04/2024, 03:48
Static task
static1
Behavioral task
behavioral1
Sample
f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe
-
Size
32KB
-
MD5
f4f7e6f813317dfdb521e9a4c8701cb9
-
SHA1
5e135676cf3dff7920469379682c8d99c317c0f0
-
SHA256
a4470a3fc24703976217fd9aeb6758c8d09ead5ea8cdf114c287b559b63f0b7d
-
SHA512
535e57f7eef29823e643bd93ea170ee1eb3572a1f521e6be76ee3bbef91de3a727e6c73909901f97dca9f038f76d9548626de1479d5ebff4b6de802987067e17
-
SSDEEP
384:29oqDswpeD68I4c0hWQGyrEbwuA4d37SrFYg/9WLKSDZyn4f:2iaswMLI4cnLyrEbwuA4d37EYgsLvo4
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2528 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 29 PID 2820 wrote to memory of 2528 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 29 PID 2820 wrote to memory of 2528 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 29 PID 2820 wrote to memory of 2528 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 29 PID 2820 wrote to memory of 2988 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2988 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2988 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2988 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 30 PID 2820 wrote to memory of 1620 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 32 PID 2820 wrote to memory of 1620 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 32 PID 2820 wrote to memory of 1620 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 32 PID 2820 wrote to memory of 1620 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 32 PID 2820 wrote to memory of 2632 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 34 PID 2820 wrote to memory of 2632 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 34 PID 2820 wrote to memory of 2632 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 34 PID 2820 wrote to memory of 2632 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 34 PID 2820 wrote to memory of 2672 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 36 PID 2820 wrote to memory of 2672 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 36 PID 2820 wrote to memory of 2672 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 36 PID 2820 wrote to memory of 2672 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 36 PID 2528 wrote to memory of 2444 2528 cmd.exe 39 PID 2528 wrote to memory of 2444 2528 cmd.exe 39 PID 2528 wrote to memory of 2444 2528 cmd.exe 39 PID 2528 wrote to memory of 2444 2528 cmd.exe 39 PID 2988 wrote to memory of 2928 2988 cmd.exe 40 PID 2988 wrote to memory of 2928 2988 cmd.exe 40 PID 2988 wrote to memory of 2928 2988 cmd.exe 40 PID 2988 wrote to memory of 2928 2988 cmd.exe 40 PID 2632 wrote to memory of 2720 2632 cmd.exe 41 PID 2632 wrote to memory of 2720 2632 cmd.exe 41 PID 2632 wrote to memory of 2720 2632 cmd.exe 41 PID 2632 wrote to memory of 2720 2632 cmd.exe 41 PID 2672 wrote to memory of 2728 2672 cmd.exe 42 PID 2672 wrote to memory of 2728 2672 cmd.exe 42 PID 2672 wrote to memory of 2728 2672 cmd.exe 42 PID 2672 wrote to memory of 2728 2672 cmd.exe 42 PID 2444 wrote to memory of 2180 2444 net.exe 43 PID 2444 wrote to memory of 2180 2444 net.exe 43 PID 2444 wrote to memory of 2180 2444 net.exe 43 PID 2444 wrote to memory of 2180 2444 net.exe 43 PID 2928 wrote to memory of 2708 2928 net.exe 44 PID 2928 wrote to memory of 2708 2928 net.exe 44 PID 2928 wrote to memory of 2708 2928 net.exe 44 PID 2928 wrote to memory of 2708 2928 net.exe 44 PID 2820 wrote to memory of 2440 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 45 PID 2820 wrote to memory of 2440 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 45 PID 2820 wrote to memory of 2440 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 45 PID 2820 wrote to memory of 2440 2820 f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop "Security Center"2⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\net.exenet stop "Security Center"3⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"4⤵PID:2180
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop SharedAccess2⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵PID:2708
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f2⤵PID:1620
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f3⤵
- Modifies security service
PID:2720
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f3⤵
- Modifies security service
PID:2728
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C C:\0.2⤵PID:2440
-