Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18/04/2024, 19:40
Static task
static1
Behavioral task
behavioral1
Sample
f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe
-
Size
10KB
-
MD5
f8a154521bd546c4a2e9704f63def716
-
SHA1
89c24d1f3043b5891a494b0e8b3f422642b0ac7e
-
SHA256
a423193c571a7726f20bcd42e9c9658cbaaf36237ecbfb8b70ca00f2aea4d65d
-
SHA512
d308a0b06695a1f0c92c1424bd5fa83dac8b242d2a8feced95607301f8cd73d4f75c2828ee61b97f7327a76a116ddd65b7d112efe622425e8f7ae70eed8400a7
-
SSDEEP
192:m8sc7GOuYqBAo+0Q2kn+AhoXUgzaUGJDqhEGk5NLpoBYswx58b0UHW:m8f7GOuZljkn+A+aJDWEGUpsM5JYW
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\DLMon = "{590498A3-4131-4D8F-BA4B-36791A0803B1}" f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\DLMain.dll f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\DLMain.dll f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{590498A3-4131-4D8F-BA4B-36791A0803B1}\InprocServer32 f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{590498A3-4131-4D8F-BA4B-36791A0803B1} f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{590498A3-4131-4D8F-BA4B-36791A0803B1}\InprocServer32\ = "C:\\Windows\\SysWow64\\DLMain.dll" f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{590498A3-4131-4D8F-BA4B-36791A0803B1}\InprocServer32\ThreadingModel = "Apartment" f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2128 f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2128 f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2128 f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2128 wrote to memory of 1276 2128 f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe 21 PID 2128 wrote to memory of 3016 2128 f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe 28 PID 2128 wrote to memory of 3016 2128 f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe 28 PID 2128 wrote to memory of 3016 2128 f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe 28 PID 2128 wrote to memory of 3016 2128 f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe 28
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1276
-
C:\Users\Admin\AppData\Local\Temp\f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe"2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F8A154~1.EXE > nul3⤵PID:3016
-
-