Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 17:12
Static task
static1
Behavioral task
behavioral1
Sample
4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
-
Size
914KB
-
MD5
4c2bf873680a8b3a7683402c4e927454
-
SHA1
3c18a1acbc8be3de0caa9b6fa1025cf58f7b71c5
-
SHA256
7f574eccc7ab5287fa1cb3c0e35fe819388a9a0f73bd2243f977d2f2175772e0
-
SHA512
ffe25102078df09de4fce6feb84a5b927f8b172903a1f03f415b65927635a058acb312d73887ee1221f7e93848134518f5bd625dbcda8c469b782784b96f2e9e
-
SSDEEP
12288:IHw5jSoveo/+YqiMXIRfm5PgAoB4TqEmvyhhUvogdpMi74zxLqo7t:ow5tvMv0fmJuKOsUvoapkd+ox
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: SeSecurityPrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: SeSystemtimePrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: SeBackupPrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: SeRestorePrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: SeShutdownPrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: SeDebugPrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: SeUndockPrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: SeManageVolumePrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: SeImpersonatePrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: 33 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: 34 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe Token: 35 1132 4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe"1⤵
- Enumerates VirtualBox registry keys
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1132