Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 14:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe
Resource
win7-20240220-en
windows7-x64
14 signatures
150 seconds
General
-
Target
2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe
-
Size
3.1MB
-
MD5
2a6c125d7ddbdf876a132dad12f33d34
-
SHA1
961dae6d9cac36b3cb7a2ef1f63792af56b4c1d9
-
SHA256
b32a1cc7bf5666616499860b1c75db6a19fbd31dad2be7ef5f13720dec6939af
-
SHA512
fa3f90ae6d922dec6c1cf2c60efeca7bf189e0f901dc893539c45e6ea35f94b30e835db748c3b48d31ed452628ccc7319ca92341aa7c8f3ced56f8be9dc6e506
-
SSDEEP
49152:AUfYxziGK24+ZnH/XGiLVDd2Md9UySlEO+lFBe/kEcbycuhAOOdudfV6wetNcLlV:A+YxGJWH/XNHd2KRqkPycu1Oafr+er
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ update.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ WindowsSystem.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ WindowsSystem.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ WindowsSystem.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2980 attrib.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion update.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System Recovery.lnk update.exe -
Executes dropped EXE 4 IoCs
pid Process 2076 update.exe 2416 WindowsSystem.exe 1044 WindowsSystem.exe 2224 WindowsSystem.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine update.exe Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine WindowsSystem.exe Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine WindowsSystem.exe Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine WindowsSystem.exe -
Loads dropped DLL 4 IoCs
pid Process 2468 2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe 2468 2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe 2468 2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe 2468 2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA update.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2076 update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2496 schtasks.exe 2588 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe 2076 update.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2468 wrote to memory of 2076 2468 2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe 28 PID 2468 wrote to memory of 2076 2468 2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe 28 PID 2468 wrote to memory of 2076 2468 2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe 28 PID 2468 wrote to memory of 2076 2468 2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe 28 PID 2468 wrote to memory of 2076 2468 2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe 28 PID 2468 wrote to memory of 2076 2468 2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe 28 PID 2468 wrote to memory of 2076 2468 2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe 28 PID 2076 wrote to memory of 2980 2076 update.exe 29 PID 2076 wrote to memory of 2980 2076 update.exe 29 PID 2076 wrote to memory of 2980 2076 update.exe 29 PID 2076 wrote to memory of 2980 2076 update.exe 29 PID 2076 wrote to memory of 2980 2076 update.exe 29 PID 2076 wrote to memory of 2980 2076 update.exe 29 PID 2076 wrote to memory of 2980 2076 update.exe 29 PID 2076 wrote to memory of 2496 2076 update.exe 31 PID 2076 wrote to memory of 2496 2076 update.exe 31 PID 2076 wrote to memory of 2496 2076 update.exe 31 PID 2076 wrote to memory of 2496 2076 update.exe 31 PID 2076 wrote to memory of 2496 2076 update.exe 31 PID 2076 wrote to memory of 2496 2076 update.exe 31 PID 2076 wrote to memory of 2496 2076 update.exe 31 PID 2076 wrote to memory of 2588 2076 update.exe 32 PID 2076 wrote to memory of 2588 2076 update.exe 32 PID 2076 wrote to memory of 2588 2076 update.exe 32 PID 2076 wrote to memory of 2588 2076 update.exe 32 PID 2076 wrote to memory of 2588 2076 update.exe 32 PID 2076 wrote to memory of 2588 2076 update.exe 32 PID 2076 wrote to memory of 2588 2076 update.exe 32 PID 2580 wrote to memory of 2416 2580 taskeng.exe 37 PID 2580 wrote to memory of 2416 2580 taskeng.exe 37 PID 2580 wrote to memory of 2416 2580 taskeng.exe 37 PID 2580 wrote to memory of 2416 2580 taskeng.exe 37 PID 2580 wrote to memory of 1044 2580 taskeng.exe 40 PID 2580 wrote to memory of 1044 2580 taskeng.exe 40 PID 2580 wrote to memory of 1044 2580 taskeng.exe 40 PID 2580 wrote to memory of 1044 2580 taskeng.exe 40 PID 2580 wrote to memory of 2224 2580 taskeng.exe 41 PID 2580 wrote to memory of 2224 2580 taskeng.exe 41 PID 2580 wrote to memory of 2224 2580 taskeng.exe 41 PID 2580 wrote to memory of 2224 2580 taskeng.exe 41 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2980 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\ProgramData\Adobe\Update\update.exe"C:\ProgramData\Adobe\Update\update.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\ProgramData\WindowsSystem.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2980
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \Windows\RecoveryProgram /tr "C:\ProgramData\WindowsSystem.exe" /st 00:00 /sc once /du 9999:59 /ri 1 /f3⤵
- Creates scheduled task(s)
PID:2496
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \Windows\WindowsRun /tr "C:\ProgramData\WindowsSystem.exe" /st 00:00 /sc once /du 9999:59 /ri 50 /f3⤵
- Creates scheduled task(s)
PID:2588
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {41989DE3-4B6D-47D0-AAAB-193CC6E09DBE} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\ProgramData\WindowsSystem.exeC:\ProgramData\WindowsSystem.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
PID:2416
-
-
C:\ProgramData\WindowsSystem.exeC:\ProgramData\WindowsSystem.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
PID:1044
-
-
C:\ProgramData\WindowsSystem.exeC:\ProgramData\WindowsSystem.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
PID:2224
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5d3c9641a71a67675dd06cf2379a274f4
SHA1ba1300928afed6454ad49aac0c42e09ff2363717
SHA256974211f8998573e6b221640dc2700c28b59744d9a1147182e7923fb6bf5f89c1
SHA512f9bc8765e9df699362bb18dbbb02112b6f8486e9befb7bfdfec0a1dd5f5dcb027cc55e86382189bb397689d565054d145ad449360047ecf010a9661511d1f6b0