Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14/05/2024, 01:48
Static task
static1
Behavioral task
behavioral1
Sample
3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe
-
Size
223KB
-
MD5
3d7030426830af1ce3e9e06412954688
-
SHA1
a664885f5f911b3add94b379c7caa8729ca253d0
-
SHA256
a409bcf88a07c401c4f6f11be261c80b47c2e5ae29338c7ad5de509ff1eefbd8
-
SHA512
9506362a98b64e17d9b8d00347821933e7711fff12cb4d2d5b79041fba58f10551db9f1c9088d8cd051170fcfb6f5de9631c0aa5a76ff5a15c0c3aaab8e782d8
-
SSDEEP
6144:UDk3eLcIxMtD67ASSK9xIQF+0jBbFy/Mni+iNHBrCaHl5:x3efMZ6cY9mZuBbFpn1iNHdH
Malware Config
Extracted
formbook
3.8
go
florimstone.ltd
cristianspataru.com
allavolontahk.com
theartensembleofchicago.com
caixk.com
themirrorprogram.com
app-santa.com
shamelesssoaps.com
adamsgaragedoorservice.com
modelweekpittsburgh.com
xaoz168.com
aquariumcozumel.com
lightpictureriver.com
uhvum.info
chunail.com
soportetecno.com
airfoilone.info
almaguinscientific.com
kupian.net
periovancedental.net
thebaseball.store
fryelawncare.com
rainbowstarllc.com
bantentronix.com
cohousinginfo.info
dalmiainnobuild.com
execairmontana.net
christhighergraceassembly.com
selensahin.com
gcashflow.com
dateondate.com
biznesteleskop.info
mediatechweek.live
lafengzuche.com
kleurcafe.com
bostonrefinanceconnect.com
biockchlan.info
perfectdocuments.services
mig-mhe.com
tv16809.info
planetreporter.info
vmljow.men
tnnbi.info
allpageprotectors.com
referenciadigital.com
nufamili.com
christinalazaridi.net
yihengyanxuan.com
clarktransfersucks.com
kemech.com
northamptontaxii.com
personalizedwalldecals.net
18qplay.com
sexshop.cool
wilderoseart.com
atomic-guru.com
xmfjl.net
hinabita.com
webdenimjeanssale.win
zhejiangluzhiyou.com
jj6455.com
mattjonescamera.com
zmbcloud.com
cjuwu.info
spotekw.com
Signatures
-
Formbook payload 3 IoCs
resource yara_rule behavioral1/memory/2168-21-0x00000000007A0000-0x00000000007CA000-memory.dmp formbook behavioral1/memory/2284-29-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/2284-33-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2168 set thread context of 2284 2168 3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe 31 PID 2284 set thread context of 1192 2284 vbc.exe 21 PID 2284 set thread context of 1192 2284 vbc.exe 21 PID 2568 set thread context of 1192 2568 NETSTAT.EXE 21 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2568 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2168 3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe 2168 3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe 2284 vbc.exe 2284 vbc.exe 2284 vbc.exe 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE 2568 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2284 vbc.exe 2284 vbc.exe 2284 vbc.exe 2284 vbc.exe 2568 NETSTAT.EXE 2568 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2168 3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe Token: SeDebugPrivilege 2284 vbc.exe Token: SeDebugPrivilege 2568 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2168 wrote to memory of 760 2168 3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe 28 PID 2168 wrote to memory of 760 2168 3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe 28 PID 2168 wrote to memory of 760 2168 3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe 28 PID 2168 wrote to memory of 760 2168 3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe 28 PID 760 wrote to memory of 2160 760 csc.exe 30 PID 760 wrote to memory of 2160 760 csc.exe 30 PID 760 wrote to memory of 2160 760 csc.exe 30 PID 760 wrote to memory of 2160 760 csc.exe 30 PID 2168 wrote to memory of 2284 2168 3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe 31 PID 2168 wrote to memory of 2284 2168 3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe 31 PID 2168 wrote to memory of 2284 2168 3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe 31 PID 2168 wrote to memory of 2284 2168 3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe 31 PID 2168 wrote to memory of 2284 2168 3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe 31 PID 2168 wrote to memory of 2284 2168 3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe 31 PID 2168 wrote to memory of 2284 2168 3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe 31 PID 1192 wrote to memory of 2568 1192 Explorer.EXE 32 PID 1192 wrote to memory of 2568 1192 Explorer.EXE 32 PID 1192 wrote to memory of 2568 1192 Explorer.EXE 32 PID 1192 wrote to memory of 2568 1192 Explorer.EXE 32 PID 2568 wrote to memory of 2520 2568 NETSTAT.EXE 33 PID 2568 wrote to memory of 2520 2568 NETSTAT.EXE 33 PID 2568 wrote to memory of 2520 2568 NETSTAT.EXE 33 PID 2568 wrote to memory of 2520 2568 NETSTAT.EXE 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qhca1hs1\qhca1hs1.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F05.tmp" "c:\Users\Admin\AppData\Local\Temp\qhca1hs1\CSC53C0417C9BF54F3F89122B6E5013985.TMP"4⤵PID:2160
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵PID:2520
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5159870df680b9fe918ba8599c1836864
SHA13f958a49a2d63b268d974b68b67a7f73ee6c9621
SHA2563349d9ddcc641fa28060904abefc7ebe8cf3fd6655f1dac076ed7d8af870cefa
SHA512dac345967b9ec497e561f12549c6500a88994024d226747f186a222e7552054a3ef5945fd939185c12ac9712b1c6fa885805fd3cb859628a98e81c3d8794ca04
-
Filesize
9KB
MD58a2f11b8f7fe4087eb6cb4bec569e68e
SHA14dee5fdcfb9c1e65b17f36efa873ca954208b2bc
SHA256ec1e99b9bb8a6e190b23a621597e7c963de2f8206baa867d5152216353a3e81a
SHA512f3e0d11cdac91fd03d2c55125634cc0386a10765046a1771762855ced69996455c0700af4674483ed3ee3ab790cacf687e470df3c62b64b5b856c0a8f9f8dd4c
-
Filesize
29KB
MD5fb56b4fadabcba6f1a6c7ee71bb222a5
SHA159d1bfd25de1224189d0d4ad84241b53df6ea265
SHA256ce0f4791c9c40a251d01ed3f600405ae988b97556ae2755c0b452994792ced20
SHA512c6808aefbca6add7142ab7f8d0a249b75e2fe4536edc02b6845b6477195a263fd94b39d9c0e177be23a858449bcb0eded129d0f217f15440c57d31bb5b301e37
-
Filesize
1KB
MD5d202a2dd47432448eebe063608c30deb
SHA13d243387af3459433eb9cdc28ba598bae5707a54
SHA256afd2598a519704f7f9b6e6205c9e5298908e88b89bfe9cb77f9ac635d2b1d27b
SHA512129a24f5f0c4ec5d540479adfa7031457acc867a5e6a7f8e98a2a0c0fe6a8ba152a9ce0c8ec7fc4821b45a4563de50cbdcf1ac4935342cca38f1783e6bac61ec
-
Filesize
10KB
MD5e47fdad24b231f8d108b657ef13bd7da
SHA11e96959956ae8602c7124eb933d15ea7d5b2f5e9
SHA25607af294f4449dcfd41ae0a99b0f840b0163d2df2f63fdfc59204a6b5c794b176
SHA512caa3045d7e74bd9fd43fc2804d3b6f23977f140e4ff91d750b21ea347408823a2338eaab1bc00120d79a88e532a97ae3b898fa3d08c3f97f1107a859988f49c2
-
Filesize
248B
MD51085906c898c1a87f8177a81d3affccc
SHA138f364bfbf631bd197b9683b85b662692567d766
SHA256be2f06f67baf6ac0c6915afa77111e70ee7506c5e8ecdc919eb76c1e0a60ffde
SHA512671b191b54104ebde934e050f43e31efe08ae9230ef563526b86c8ddd6ebf115600f04d392f0a777bd160d5a806d530a6235d3b7e74dcc558dc6b1268964d950