Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 22:15
Static task
static1
Behavioral task
behavioral1
Sample
314c0ebd520a6431f89af4505f288a66_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
314c0ebd520a6431f89af4505f288a66_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
314c0ebd520a6431f89af4505f288a66
-
SHA1
9ec0fe94a513c9b0a6e9a4206836b23f2c4f283d
-
SHA256
f0231b41ac1add2e3b8f831ccdb2311de4ed1cf9e8d919b51ca7bef4d7c40419
-
SHA512
c78ba2e86979df7a6dc647bbe4e259201122386da11d3915b470ef47442d868dd960f0f2ff4d4cba4f0e4ac1fe6aae16bc468acfba68ec76dfe4d9fbc73b33c5
-
SSDEEP
24576:TARtQVeYMNoq8joOKQTStYYwkYAxAbYEPWtE+AJMfMGIGEa8Z8h8avemVNL6UwIm:TAR+eY4L8jo3EwYYjYAxAbYED+qQMGIh
Malware Config
Signatures
-
Detect Blackmoon payload 5 IoCs
resource yara_rule behavioral1/files/0x000c000000013113-6.dat family_blackmoon behavioral1/memory/2752-30-0x0000000010000000-0x00000000100A0000-memory.dmp family_blackmoon behavioral1/files/0x0008000000013a21-32.dat family_blackmoon behavioral1/memory/2752-33-0x0000000000540000-0x0000000000597000-memory.dmp family_blackmoon behavioral1/memory/2752-93-0x0000000010000000-0x00000000100A0000-memory.dmp family_blackmoon -
Deletes itself 1 IoCs
pid Process 2796 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2616 utgza.exe 1160 94rb3ue.exe 1204 Explorer.EXE -
Loads dropped DLL 10 IoCs
pid Process 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2616 utgza.exe 2616 utgza.exe 2616 utgza.exe 2616 utgza.exe -
resource yara_rule behavioral1/memory/2616-58-0x00000000013A0000-0x00000000013D8000-memory.dmp vmprotect behavioral1/memory/2616-59-0x00000000013A0000-0x00000000013D8000-memory.dmp vmprotect behavioral1/files/0x000b000000014120-55.dat vmprotect behavioral1/memory/2616-53-0x0000000010000000-0x0000000010093000-memory.dmp vmprotect behavioral1/memory/2616-52-0x0000000010000000-0x0000000010093000-memory.dmp vmprotect behavioral1/files/0x000a0000000139d8-49.dat vmprotect behavioral1/memory/2616-96-0x0000000010000000-0x0000000010093000-memory.dmp vmprotect behavioral1/memory/2616-100-0x00000000013A0000-0x00000000013D8000-memory.dmp vmprotect -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\Doxve32.dll 314c0ebd520a6431f89af4505f288a66_JaffaCakes118.exe File created C:\Windows\SysWOW64\qwton.dll svchost.exe File created C:\Windows\SysWOW64\hnpon.dll svchost.exe File created C:\Windows\SysWOW64\onml.dll svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2752 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1816 ipconfig.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2596 PING.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2616 utgza.exe 1160 94rb3ue.exe 2616 utgza.exe 2616 utgza.exe 2616 utgza.exe 2616 utgza.exe 2616 utgza.exe 2616 utgza.exe 2616 utgza.exe 2616 utgza.exe 2616 utgza.exe 2616 utgza.exe 2616 utgza.exe 2616 utgza.exe 2616 utgza.exe 2616 utgza.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2028 314c0ebd520a6431f89af4505f288a66_JaffaCakes118.exe Token: SeDebugPrivilege 2752 svchost.exe Token: SeTcbPrivilege 2752 svchost.exe Token: SeDebugPrivilege 2752 svchost.exe Token: SeDebugPrivilege 2616 utgza.exe Token: SeDebugPrivilege 1160 94rb3ue.exe Token: SeDebugPrivilege 1204 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2028 wrote to memory of 2752 2028 314c0ebd520a6431f89af4505f288a66_JaffaCakes118.exe 28 PID 2028 wrote to memory of 2752 2028 314c0ebd520a6431f89af4505f288a66_JaffaCakes118.exe 28 PID 2028 wrote to memory of 2752 2028 314c0ebd520a6431f89af4505f288a66_JaffaCakes118.exe 28 PID 2028 wrote to memory of 2752 2028 314c0ebd520a6431f89af4505f288a66_JaffaCakes118.exe 28 PID 2028 wrote to memory of 2752 2028 314c0ebd520a6431f89af4505f288a66_JaffaCakes118.exe 28 PID 2028 wrote to memory of 2796 2028 314c0ebd520a6431f89af4505f288a66_JaffaCakes118.exe 29 PID 2028 wrote to memory of 2796 2028 314c0ebd520a6431f89af4505f288a66_JaffaCakes118.exe 29 PID 2028 wrote to memory of 2796 2028 314c0ebd520a6431f89af4505f288a66_JaffaCakes118.exe 29 PID 2028 wrote to memory of 2796 2028 314c0ebd520a6431f89af4505f288a66_JaffaCakes118.exe 29 PID 2796 wrote to memory of 2596 2796 cmd.exe 31 PID 2796 wrote to memory of 2596 2796 cmd.exe 31 PID 2796 wrote to memory of 2596 2796 cmd.exe 31 PID 2796 wrote to memory of 2596 2796 cmd.exe 31 PID 2752 wrote to memory of 2616 2752 svchost.exe 32 PID 2752 wrote to memory of 2616 2752 svchost.exe 32 PID 2752 wrote to memory of 2616 2752 svchost.exe 32 PID 2752 wrote to memory of 2616 2752 svchost.exe 32 PID 2752 wrote to memory of 1816 2752 svchost.exe 33 PID 2752 wrote to memory of 1816 2752 svchost.exe 33 PID 2752 wrote to memory of 1816 2752 svchost.exe 33 PID 2752 wrote to memory of 1816 2752 svchost.exe 33 PID 2616 wrote to memory of 1160 2616 utgza.exe 35 PID 2616 wrote to memory of 1160 2616 utgza.exe 35 PID 2616 wrote to memory of 1160 2616 utgza.exe 35 PID 2616 wrote to memory of 1160 2616 utgza.exe 35 PID 1160 wrote to memory of 1204 1160 94rb3ue.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\314c0ebd520a6431f89af4505f288a66_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\314c0ebd520a6431f89af4505f288a66_JaffaCakes118.exe"2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe -k LocalFileCaches3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\utgza.exeC:\Users\Admin\AppData\Local\Temp\utgza.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\94rb3ue.exe"C:\Users\Admin\AppData\Local\Temp\94rb3ue.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160
-
-
-
C:\windows\SysWOW64\ipconfig.exe/flushdns4⤵
- Gathers network information
PID:1816
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4001.bat" "3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\PING.EXEping 1.0.0.1 -n4⤵
- Runs ping.exe
PID:2596
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
179B
MD592152fe6aec0d0c2695044b6b9ecffb1
SHA110557e97735893fa7640ec4c57ec948e14637620
SHA2568a745607489806b2f0f67127fccf752e097861d8a6bb15ed7627fe0ee6bc2d84
SHA512def4a2d8802bcc0c8643f6dd83e54efd6b4702025fff64584a783700da26c6d742aa3b3d655f845b77b29c566300f015e6d91a713d759c2350cddffa390128bb
-
Filesize
90KB
MD5aaa751bfb600e81c2ea1e8277548dab0
SHA1b3fa454236c8db5c27dfcaa17cfd6c1d3b1e964a
SHA25601630522218f49ae3e253f937e17fcf76661d0eb54633b372c93bbc268039668
SHA5124591172ed479ba4d95d94a0dc78f121c18a765fb9dd270813e1b0ca1cad96d658f3f6245f9661109db28fc376f0c3a5d618fc4aa54e3e6064ce47d5bb586f131
-
Filesize
287KB
MD548aa5869fa1604d82016738d443ae274
SHA1b93ebef756f12f60b6d794ccd659dbfb53e82050
SHA256882565171518339cb13fd5415998019f789b3ecfc6037370379f8231b636fb81
SHA51218ef0e097b8bddc4d507e864d9787ac1a3a1fca53ebd4914edb7bb6258a20210ad4141fc1b33b11e3c6f4733096cbcc093a2898e20bdd3efb1d0ed33d07441b7
-
Filesize
623KB
MD50ecda55bba11531d985331ba1f305df7
SHA132f3ad9ec0f42e4dc7941c42d7692a27451c9efa
SHA256a989f658857dded278159103ce137225ff5f3009fade413191da5662476c0885
SHA51214059c971890e2a592839c883a286240ec9311cc3b7e893a1a06d6568e1aadea2cfbbd2c722c0cffb3fdc156167498220182526e936f9288b6587d2f5b4d2c6e
-
Filesize
60B
MD5043e7923f4eab953ee0bb05f8c7629ee
SHA1109485b80493aa42bd703f816224479a4520efb4
SHA2562a7a698ec8fcc8460bd123f530cf7b74bf8686427a06c4e3c684d6f5b8b8ccce
SHA512eaf18868da7bd658dfa2af554d552599232e94cb09d506020e38877f98ca018c7545f35876910cc387dd2adc164e77865f1fd934c967c20db79bec68be84ebd8
-
Filesize
68KB
MD581f8e0675d9ff9083f90b70fa17b155e
SHA147e8d4f683fb3ccd851e315c5276ef83704abd64
SHA256f421cbd7f1521246423e85d8f9ea61724a69fb72f1df382a6d348afb58dcb7e6
SHA5128786783357bf88bd3915a6d3104a94099aaba852a9392bd426a2c673041059b0787baf0668654efe27653d73c5cabe8178dbba7711f9cbf0d369f7abec889068
-
Filesize
264KB
MD54c79bec47fc84b793f8d040192172be0
SHA1eb6e96946331f87fb351bac8dd3c4b9dc14bb0d6
SHA2562c2d53629d7c8dbacf6442bc82aab4a7f0abd288af662baf8576f9ca6aee7fe8
SHA5128053d76c48f9a701b0bfc103b90731029f48bebcf8295a5593aa2427b53e7919186104bf6d63156037d35f4f62962fed9f05594181c49d75b65ef3d59fbdccbd
-
Filesize
128KB
MD52b1d708d7b7f91693816bcc2982c8026
SHA1b05e7af14b64e596cf4e3f58bf2eaa36944e1ad5
SHA2569c7b6e675a78f287d397312a4b1518ad63ca87600229f365de93ccc420faa2c2
SHA5124880728d44f349b2eb479bf3fe71e5dbc5bab85125337ef470400051d07965654ae28aa19caee2d2d4193632677b577614446f546b1c413bbf61c22432ef5b6d
-
Filesize
1.8MB
MD52e35797527c224f0409e6ace46b52ad8
SHA160171b7f19a655459a26928e311336378c70187b
SHA256039645c31edd141b7c3f5d236bdb7559e78f2b97813bdd76c949892be658343a
SHA512f1fc44e531ec39012e8ffbe02a282b57569f29d9b8151751d7d32ec2f80c22d606ad968b63f62fbb0e316aa2e63f0159d671d3fb1cdcbfa4323cba7da204c442
-
Filesize
280KB
MD56994b4d30d8bb307efefbf46a1f8a769
SHA131d27b327fd651bd78ca05c0d15f890d51522882
SHA256a54b6f59359984bc45a1f8c9fb768d70aa89df251c78d8aabffaef3e7831b6ca
SHA51237c53a81870600f468023f2e68cd142fbf2581d069973073d72fc8661271996edab3e586e4b451febc8538fd52bd325ff9190465731f25a97ac770cebb191870
-
Filesize
316KB
MD5533c576e9622676592ba7cdecd982ffc
SHA1c8d82cc98d21fee91fed171d4e1754ceb1d55690
SHA256226c52ccad247ddbe7a5a406c3c07083357a994a0b7aadbe8364af8137524e70
SHA5120fb671922fa5b9140374beafd3164d9a1a464e3c2b2d292c6455bfad967bbbf4d41ac83541387824bf769939539fc254054932b177b596950e5003d2553fc0d3
-
Filesize
257KB
MD52a18d61af1776e7394920ad72e875f4a
SHA13a450945571a09985ddcb30b93a3902d06bf7be7
SHA256dd80d8e96c5e4cdf9cecc1447a5995ff0eea15f4584df4f8cd9a2281a908ce19
SHA51285b551b32424a1055e8acec01a065ec8a8936df79e9a3fd243457c582b2fb9c58fdd25a99287c6f242e1fbf6f72c86853ab5d70eb99af8b683d0907814bcb55b