Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 23:18
Static task
static1
Behavioral task
behavioral1
Sample
2c32fd77b49e9b461502bd7b962b3958_JaffaCakes118.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2c32fd77b49e9b461502bd7b962b3958_JaffaCakes118.msi
Resource
win10v2004-20240426-en
General
-
Target
2c32fd77b49e9b461502bd7b962b3958_JaffaCakes118.msi
-
Size
448KB
-
MD5
2c32fd77b49e9b461502bd7b962b3958
-
SHA1
c1ac57ee5ff6d01ede7d6b23fd1b8521d01b77ec
-
SHA256
2e3a530f6f30e32e7d982308747f0f9015c37e651939dc8e0982b38425e5cfa0
-
SHA512
e3beb16e77667c3f6014ca180151c03699e0a609100abb53e5012a86588eb3f3029c9e4be48b24d9d2fc945f8e61d33fc66d218649f5e5f87b6120891f297287
-
SSDEEP
12288:dER6Wq4aaE6KwyF5L0Y2D1PqLoHPvCMaD:dEnthEVaPqLIPs
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeShutdownPrivilege 2164 msiexec.exe Token: SeIncreaseQuotaPrivilege 2164 msiexec.exe Token: SeRestorePrivilege 2928 msiexec.exe Token: SeTakeOwnershipPrivilege 2928 msiexec.exe Token: SeSecurityPrivilege 2928 msiexec.exe Token: SeCreateTokenPrivilege 2164 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2164 msiexec.exe Token: SeLockMemoryPrivilege 2164 msiexec.exe Token: SeIncreaseQuotaPrivilege 2164 msiexec.exe Token: SeMachineAccountPrivilege 2164 msiexec.exe Token: SeTcbPrivilege 2164 msiexec.exe Token: SeSecurityPrivilege 2164 msiexec.exe Token: SeTakeOwnershipPrivilege 2164 msiexec.exe Token: SeLoadDriverPrivilege 2164 msiexec.exe Token: SeSystemProfilePrivilege 2164 msiexec.exe Token: SeSystemtimePrivilege 2164 msiexec.exe Token: SeProfSingleProcessPrivilege 2164 msiexec.exe Token: SeIncBasePriorityPrivilege 2164 msiexec.exe Token: SeCreatePagefilePrivilege 2164 msiexec.exe Token: SeCreatePermanentPrivilege 2164 msiexec.exe Token: SeBackupPrivilege 2164 msiexec.exe Token: SeRestorePrivilege 2164 msiexec.exe Token: SeShutdownPrivilege 2164 msiexec.exe Token: SeDebugPrivilege 2164 msiexec.exe Token: SeAuditPrivilege 2164 msiexec.exe Token: SeSystemEnvironmentPrivilege 2164 msiexec.exe Token: SeChangeNotifyPrivilege 2164 msiexec.exe Token: SeRemoteShutdownPrivilege 2164 msiexec.exe Token: SeUndockPrivilege 2164 msiexec.exe Token: SeSyncAgentPrivilege 2164 msiexec.exe Token: SeEnableDelegationPrivilege 2164 msiexec.exe Token: SeManageVolumePrivilege 2164 msiexec.exe Token: SeImpersonatePrivilege 2164 msiexec.exe Token: SeCreateGlobalPrivilege 2164 msiexec.exe Token: SeBackupPrivilege 2620 vssvc.exe Token: SeRestorePrivilege 2620 vssvc.exe Token: SeAuditPrivilege 2620 vssvc.exe Token: SeBackupPrivilege 2928 msiexec.exe Token: SeRestorePrivilege 2928 msiexec.exe Token: SeRestorePrivilege 1244 msiexec.exe Token: SeTakeOwnershipPrivilege 1244 msiexec.exe Token: SeSecurityPrivilege 1244 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2164 msiexec.exe 2164 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2676 2928 msiexec.exe 31 PID 2928 wrote to memory of 2676 2928 msiexec.exe 31 PID 2928 wrote to memory of 2676 2928 msiexec.exe 31 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2c32fd77b49e9b461502bd7b962b3958_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2164
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2928 -s 8122⤵PID:2676
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1244