Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01/05/2024, 14:33
Static task
static1
Behavioral task
behavioral1
Sample
0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe
-
Size
356KB
-
MD5
0c0bd343cfb9cc71e7dd1325e8410c53
-
SHA1
d8dc95c38d71a1b4fba163a014ad9465c0eff587
-
SHA256
5878146740e08f9e44bda44e69217568214bd101c514c63e876302d31c20209a
-
SHA512
4eaddf11a4904b60809ef64420cef357e1ddebe529e2ee7aeaf8d4725ce8f21645223fdd9a105dc2442aae6da2b955fdaf7b53759640e9ee8d4be5b1021f94d0
-
SSDEEP
6144:BZ0FkvPi5sZ2Dzwcnj67Q6SSfxEmJCG16SSfxEmJ:4FGPi5Bz6c6lfr96lfr
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2164 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1956 CCTV.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf CCTV.exe File created F:\autorun.inf CCTV.exe File opened for modification C:\autorun.inf CCTV.exe File created C:\autorun.inf CCTV.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe CCTV.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe CCTV.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE CCTV.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe CCTV.exe File opened for modification C:\Program Files\7-Zip\7z.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe CCTV.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe CCTV.exe File opened for modification C:\Program Files\Windows NT\Accessories\wordpad.exe CCTV.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe CCTV.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe CCTV.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{7AE638D3-C69D-42D5-9B63-3C52AA32D796}\chrome_installer.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe CCTV.exe File opened for modification C:\Program Files\Windows Media Player\wmpconfig.exe CCTV.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe CCTV.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe CCTV.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe CCTV.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE CCTV.exe File opened for modification C:\Program Files\Windows Media Player\wmpenc.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\misc.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe CCTV.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe CCTV.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe CCTV.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe CCTV.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe CCTV.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe CCTV.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe CCTV.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe CCTV.exe File opened for modification C:\Program Files\Windows Media Player\wmpnscfg.exe CCTV.exe File opened for modification C:\Program Files\Windows Media Player\WMPSideShowGadget.exe CCTV.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe CCTV.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe CCTV.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe CCTV.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe CCTV.exe File opened for modification C:\Program Files\Windows Media Player\setup_wm.exe CCTV.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe CCTV.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe CCTV.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe CCTV.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\CCTV.exe 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe File opened for modification C:\Windows\CCTV.exe 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe File opened for modification C:\Windows\CCTV.exe CCTV.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 756 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe 1956 CCTV.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 756 wrote to memory of 2164 756 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe 28 PID 756 wrote to memory of 2164 756 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe 28 PID 756 wrote to memory of 2164 756 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe 28 PID 756 wrote to memory of 2164 756 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe 28 PID 756 wrote to memory of 1956 756 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe 30 PID 756 wrote to memory of 1956 756 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe 30 PID 756 wrote to memory of 1956 756 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe 30 PID 756 wrote to memory of 1956 756 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118kill.bat2⤵
- Deletes itself
PID:2164
-
-
C:\Windows\CCTV.exeC:\Windows\CCTV.exe2⤵
- Executes dropped EXE
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1956
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD5ee6b3f4fa78ec0beec057271b2898042
SHA1128a2a6a8b9da590d4d25c67488bbd412f8d8428
SHA2565b1b29fb17c068e47723f4906fd2ebd43c21e6cc0edd1fd65589b7bf3c592ba8
SHA512ec473d6227b7ad64b3c05d05126cd29a1ac3ffe523e65a115f7953244244343da3b503c8b2820bdf6b8c0a07d4649700cf30c5089f6d7dff6cf420016f2b36da
-
Filesize
356KB
MD50c0bd343cfb9cc71e7dd1325e8410c53
SHA1d8dc95c38d71a1b4fba163a014ad9465c0eff587
SHA2565878146740e08f9e44bda44e69217568214bd101c514c63e876302d31c20209a
SHA5124eaddf11a4904b60809ef64420cef357e1ddebe529e2ee7aeaf8d4725ce8f21645223fdd9a105dc2442aae6da2b955fdaf7b53759640e9ee8d4be5b1021f94d0