Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/05/2024, 05:10
Static task
static1
Behavioral task
behavioral1
Sample
1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe
-
Size
534KB
-
MD5
1aeafb4aeda2e03af35db00806c4a752
-
SHA1
dd0a5862ffbccc7949e8fd6407ef4ee717ba4aac
-
SHA256
cc29af4836750180f2e29745658cf1fd45302c2dc48c952cf38835370932a6f8
-
SHA512
a797b0514d2325f4641d1aca542b2fa6d92f1ef71882f549ba0cc33c48ebc392d72787b4cf63a336c4a4220a47d06b2fe260f157b3d2f4346c7c54472f0edcb9
-
SSDEEP
6144:ZbuodmSEjapEQaFd8M6rjiiiJUWWAxlp4HqUhiNAyV31RFp07k0rqQ8:MAHlaF6j2iiJUWfl27iKQRFp4kV
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2552 svhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2864 set thread context of 2552 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2180 timeout.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2552 svhost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe Token: SeDebugPrivilege 2552 svhost.exe Token: 33 2552 svhost.exe Token: SeIncBasePriorityPrivilege 2552 svhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2552 svhost.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2864 wrote to memory of 2900 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 28 PID 2864 wrote to memory of 2900 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 28 PID 2864 wrote to memory of 2900 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 28 PID 2864 wrote to memory of 2900 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 28 PID 2900 wrote to memory of 2608 2900 cmd.exe 30 PID 2900 wrote to memory of 2608 2900 cmd.exe 30 PID 2900 wrote to memory of 2608 2900 cmd.exe 30 PID 2900 wrote to memory of 2608 2900 cmd.exe 30 PID 2864 wrote to memory of 2552 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 31 PID 2864 wrote to memory of 2552 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 31 PID 2864 wrote to memory of 2552 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 31 PID 2864 wrote to memory of 2552 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 31 PID 2864 wrote to memory of 2552 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 31 PID 2864 wrote to memory of 2552 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 31 PID 2864 wrote to memory of 2552 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 31 PID 2864 wrote to memory of 2552 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 31 PID 2864 wrote to memory of 2552 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 31 PID 2864 wrote to memory of 2448 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 32 PID 2864 wrote to memory of 2448 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 32 PID 2864 wrote to memory of 2448 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 32 PID 2864 wrote to memory of 2448 2864 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 32 PID 2448 wrote to memory of 2180 2448 cmd.exe 34 PID 2448 wrote to memory of 2180 2448 cmd.exe 34 PID 2448 wrote to memory of 2180 2448 cmd.exe 34 PID 2448 wrote to memory of 2180 2448 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f3⤵PID:2608
-
-
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2552
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
PID:2180
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204B
MD5bfcbf382f036462e63f307ca4ae280c7
SHA1ffe98d15fa5ea205220d6bc105e317253a6ea003
SHA2562c3dd84c3ce3e529117e611d8caf4fc7f5a902840350f4ca524c251a2152c727
SHA5121b912652cc989541b396df5fd6bf207a4cf4ed891dc6e3223b8d0497c19a2589cb644c4c96ca01d882a7643f240c566966d84e46d77e9ad33e05214f8f553d16
-
Filesize
534KB
MD51aeafb4aeda2e03af35db00806c4a752
SHA1dd0a5862ffbccc7949e8fd6407ef4ee717ba4aac
SHA256cc29af4836750180f2e29745658cf1fd45302c2dc48c952cf38835370932a6f8
SHA512a797b0514d2325f4641d1aca542b2fa6d92f1ef71882f549ba0cc33c48ebc392d72787b4cf63a336c4a4220a47d06b2fe260f157b3d2f4346c7c54472f0edcb9
-
Filesize
85KB
MD52e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883