Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20/04/2024, 18:59
Static task
static1
Behavioral task
behavioral1
Sample
fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe
-
Size
138KB
-
MD5
fd6adced194a9854b26a2a622b53fed6
-
SHA1
f98bae76e4577c80ff19380df1bf0dc653507597
-
SHA256
79df06218d4e6cd4fa92da8469204b1c6da29593b17ee837ec30704fb5868945
-
SHA512
4c30dc5980268d69fee14724b32e0700cc608182fb8e802d5a1c5786f769394160aa39595dd27123f96ff067b76586a852a119abc48114921f4e4904ad91ed14
-
SSDEEP
3072:7qwcT3m86A/fn7JRk+9MZAphegNHCllRH9LWHOo5qCx6l/jHnQsQe:7qwcTWVA/v7fk+9MGphegNHCzOu/jQst
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 572 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2760 fowe.exe -
Loads dropped DLL 2 IoCs
pid Process 2332 fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe 2332 fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\{177F885D-88FD-371F-EDCA-1B578AF06519} = "C:\\Users\\Admin\\AppData\\Roaming\\Sehih\\fowe.exe" fowe.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2332 set thread context of 572 2332 fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe 30 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Privacy fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\4F3564DD-00000001.eml:OECustomProperty WinMail.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe 2760 fowe.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 2332 fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe Token: SeSecurityPrivilege 2332 fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe Token: SeSecurityPrivilege 2332 fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe Token: SeManageVolumePrivilege 1924 WinMail.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1924 WinMail.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1924 WinMail.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1924 WinMail.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2760 2332 fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe 28 PID 2332 wrote to memory of 2760 2332 fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe 28 PID 2332 wrote to memory of 2760 2332 fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe 28 PID 2332 wrote to memory of 2760 2332 fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe 28 PID 2760 wrote to memory of 1252 2760 fowe.exe 19 PID 2760 wrote to memory of 1252 2760 fowe.exe 19 PID 2760 wrote to memory of 1252 2760 fowe.exe 19 PID 2760 wrote to memory of 1252 2760 fowe.exe 19 PID 2760 wrote to memory of 1252 2760 fowe.exe 19 PID 2760 wrote to memory of 1328 2760 fowe.exe 20 PID 2760 wrote to memory of 1328 2760 fowe.exe 20 PID 2760 wrote to memory of 1328 2760 fowe.exe 20 PID 2760 wrote to memory of 1328 2760 fowe.exe 20 PID 2760 wrote to memory of 1328 2760 fowe.exe 20 PID 2760 wrote to memory of 1376 2760 fowe.exe 21 PID 2760 wrote to memory of 1376 2760 fowe.exe 21 PID 2760 wrote to memory of 1376 2760 fowe.exe 21 PID 2760 wrote to memory of 1376 2760 fowe.exe 21 PID 2760 wrote to memory of 1376 2760 fowe.exe 21 PID 2760 wrote to memory of 1224 2760 fowe.exe 23 PID 2760 wrote to memory of 1224 2760 fowe.exe 23 PID 2760 wrote to memory of 1224 2760 fowe.exe 23 PID 2760 wrote to memory of 1224 2760 fowe.exe 23 PID 2760 wrote to memory of 1224 2760 fowe.exe 23 PID 2760 wrote to memory of 2332 2760 fowe.exe 27 PID 2760 wrote to memory of 2332 2760 fowe.exe 27 PID 2760 wrote to memory of 2332 2760 fowe.exe 27 PID 2760 wrote to memory of 2332 2760 fowe.exe 27 PID 2760 wrote to memory of 2332 2760 fowe.exe 27 PID 2332 wrote to memory of 572 2332 fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe 30 PID 2332 wrote to memory of 572 2332 fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe 30 PID 2332 wrote to memory of 572 2332 fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe 30 PID 2332 wrote to memory of 572 2332 fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe 30 PID 2332 wrote to memory of 572 2332 fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe 30 PID 2332 wrote to memory of 572 2332 fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe 30 PID 2332 wrote to memory of 572 2332 fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe 30 PID 2332 wrote to memory of 572 2332 fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe 30 PID 2332 wrote to memory of 572 2332 fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe 30 PID 2760 wrote to memory of 704 2760 fowe.exe 32 PID 2760 wrote to memory of 704 2760 fowe.exe 32 PID 2760 wrote to memory of 704 2760 fowe.exe 32 PID 2760 wrote to memory of 704 2760 fowe.exe 32 PID 2760 wrote to memory of 704 2760 fowe.exe 32 PID 2760 wrote to memory of 2192 2760 fowe.exe 33 PID 2760 wrote to memory of 2192 2760 fowe.exe 33 PID 2760 wrote to memory of 2192 2760 fowe.exe 33 PID 2760 wrote to memory of 2192 2760 fowe.exe 33 PID 2760 wrote to memory of 2192 2760 fowe.exe 33
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1252
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1328
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Roaming\Sehih\fowe.exe"C:\Users\Admin\AppData\Roaming\Sehih\fowe.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpfa99be83.bat"3⤵
- Deletes itself
PID:572
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1224
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1924
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:704
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2192
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5d03b16b4405aa3b64bdabdfbb3257590
SHA167edfb3382f9d60031466f7562dfdf2569d449a3
SHA256aefb04222d25c592f56c12cc807169ba5f90ca6b393c05cd506bd1b8035b933c
SHA512d149ce804555f2117c3104ef8908676f6c59a69effdf2173c91d2d710be1b9459088fb4c3f92c646e242ae8e8ba17efd6d6829aa57fe10daf24d8caa9d053976
-
Filesize
271B
MD588c0acb9d704c826de1a372035b27bbc
SHA1d44a7880d6dbfc831fd47f8a5bbee397870f8549
SHA256c34fc74483b2f50e91a00b4155e3d96b48160971a25191c86dced1c46af21178
SHA51291f059a94f28fc8d91555973b8551639869eb771ccdf5251cc3ff3644747f005b011cc3ac2de0c3fa0f7a637e741f2f281f2d0e94ff377710955ed7743743eb3
-
Filesize
380B
MD52057d86c06e034fba502526cebf4b9ec
SHA12fc15d89d74c32537541989bf489ffc7887e1551
SHA25602fc80fe1ef3e3ef47dbd56afb1326284d7789a7925400e8fde1a4cf8e35d212
SHA512cd2fb5340dd08d695ee1451d3eaeaced1d46304fce95ef9a1950e65f5729aee2f3f2d4c9fb673b4cf58fabeb53b36896ee8c9142eed93ed53fd0e8b498c4f5f2
-
Filesize
138KB
MD5e82250b10628e0788f76aff8d0ac4300
SHA1655803250fb60f62d9f83190f3ee1e1d65646995
SHA256720562ccfb97be9bdf55998b6ce69aa68a8d216290b5186f481f0e8b7179865b
SHA5125dd135caa21e9dc2efc5961553f98684c2d8f92e890f98566ad5ddf873b1926b555549b3902c663c978d8275f0e9536633f63dea56ca280a75292e33a52a250e