Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22/05/2024, 03:45
Static task
static1
Behavioral task
behavioral1
Sample
65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/ZipDLL.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/ZipDLL.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/ffumgqx.dll
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/ffumgqx.dll
Resource
win10v2004-20240426-en
General
-
Target
65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe
-
Size
720KB
-
MD5
65e52dca58cfd731f7956d6be27fe05b
-
SHA1
b1737bf2456d9b9bf8c66eb845ff6c5949731c87
-
SHA256
211b7b4180b5cecae6b56da91d98b9041d89500f8e1456c943c53add36772749
-
SHA512
5c95994227b199ae14ba0d8477bd0ac28ea6b660a348f9edc6afc9ef3d1e593e1f0d84448077386447e5f02db6fe55d9d86b70d33eb8b7e4a2d5319443ef83ef
-
SSDEEP
12288:72Ld3OqCOnrAd7F3ZzrtbOmAmIwa59gnaeqlqMkl8eqEE+Wfc8vy4hf:6Ld3OBWrmx3ZzOOa56k3kiejD86U
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2556 bedhjggbdh.exe -
Loads dropped DLL 11 IoCs
pid Process 1732 65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe 1732 65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe 1732 65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe 1732 65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe 864 WerFault.exe 864 WerFault.exe 864 WerFault.exe 864 WerFault.exe 864 WerFault.exe 864 WerFault.exe 864 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 864 2556 WerFault.exe 28 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2728 wmic.exe Token: SeSecurityPrivilege 2728 wmic.exe Token: SeTakeOwnershipPrivilege 2728 wmic.exe Token: SeLoadDriverPrivilege 2728 wmic.exe Token: SeSystemProfilePrivilege 2728 wmic.exe Token: SeSystemtimePrivilege 2728 wmic.exe Token: SeProfSingleProcessPrivilege 2728 wmic.exe Token: SeIncBasePriorityPrivilege 2728 wmic.exe Token: SeCreatePagefilePrivilege 2728 wmic.exe Token: SeBackupPrivilege 2728 wmic.exe Token: SeRestorePrivilege 2728 wmic.exe Token: SeShutdownPrivilege 2728 wmic.exe Token: SeDebugPrivilege 2728 wmic.exe Token: SeSystemEnvironmentPrivilege 2728 wmic.exe Token: SeRemoteShutdownPrivilege 2728 wmic.exe Token: SeUndockPrivilege 2728 wmic.exe Token: SeManageVolumePrivilege 2728 wmic.exe Token: 33 2728 wmic.exe Token: 34 2728 wmic.exe Token: 35 2728 wmic.exe Token: SeIncreaseQuotaPrivilege 2728 wmic.exe Token: SeSecurityPrivilege 2728 wmic.exe Token: SeTakeOwnershipPrivilege 2728 wmic.exe Token: SeLoadDriverPrivilege 2728 wmic.exe Token: SeSystemProfilePrivilege 2728 wmic.exe Token: SeSystemtimePrivilege 2728 wmic.exe Token: SeProfSingleProcessPrivilege 2728 wmic.exe Token: SeIncBasePriorityPrivilege 2728 wmic.exe Token: SeCreatePagefilePrivilege 2728 wmic.exe Token: SeBackupPrivilege 2728 wmic.exe Token: SeRestorePrivilege 2728 wmic.exe Token: SeShutdownPrivilege 2728 wmic.exe Token: SeDebugPrivilege 2728 wmic.exe Token: SeSystemEnvironmentPrivilege 2728 wmic.exe Token: SeRemoteShutdownPrivilege 2728 wmic.exe Token: SeUndockPrivilege 2728 wmic.exe Token: SeManageVolumePrivilege 2728 wmic.exe Token: 33 2728 wmic.exe Token: 34 2728 wmic.exe Token: 35 2728 wmic.exe Token: SeIncreaseQuotaPrivilege 2384 wmic.exe Token: SeSecurityPrivilege 2384 wmic.exe Token: SeTakeOwnershipPrivilege 2384 wmic.exe Token: SeLoadDriverPrivilege 2384 wmic.exe Token: SeSystemProfilePrivilege 2384 wmic.exe Token: SeSystemtimePrivilege 2384 wmic.exe Token: SeProfSingleProcessPrivilege 2384 wmic.exe Token: SeIncBasePriorityPrivilege 2384 wmic.exe Token: SeCreatePagefilePrivilege 2384 wmic.exe Token: SeBackupPrivilege 2384 wmic.exe Token: SeRestorePrivilege 2384 wmic.exe Token: SeShutdownPrivilege 2384 wmic.exe Token: SeDebugPrivilege 2384 wmic.exe Token: SeSystemEnvironmentPrivilege 2384 wmic.exe Token: SeRemoteShutdownPrivilege 2384 wmic.exe Token: SeUndockPrivilege 2384 wmic.exe Token: SeManageVolumePrivilege 2384 wmic.exe Token: 33 2384 wmic.exe Token: 34 2384 wmic.exe Token: 35 2384 wmic.exe Token: SeIncreaseQuotaPrivilege 2276 wmic.exe Token: SeSecurityPrivilege 2276 wmic.exe Token: SeTakeOwnershipPrivilege 2276 wmic.exe Token: SeLoadDriverPrivilege 2276 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2556 1732 65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe 28 PID 1732 wrote to memory of 2556 1732 65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe 28 PID 1732 wrote to memory of 2556 1732 65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe 28 PID 1732 wrote to memory of 2556 1732 65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe 28 PID 2556 wrote to memory of 2728 2556 bedhjggbdh.exe 29 PID 2556 wrote to memory of 2728 2556 bedhjggbdh.exe 29 PID 2556 wrote to memory of 2728 2556 bedhjggbdh.exe 29 PID 2556 wrote to memory of 2728 2556 bedhjggbdh.exe 29 PID 2556 wrote to memory of 2384 2556 bedhjggbdh.exe 32 PID 2556 wrote to memory of 2384 2556 bedhjggbdh.exe 32 PID 2556 wrote to memory of 2384 2556 bedhjggbdh.exe 32 PID 2556 wrote to memory of 2384 2556 bedhjggbdh.exe 32 PID 2556 wrote to memory of 2276 2556 bedhjggbdh.exe 34 PID 2556 wrote to memory of 2276 2556 bedhjggbdh.exe 34 PID 2556 wrote to memory of 2276 2556 bedhjggbdh.exe 34 PID 2556 wrote to memory of 2276 2556 bedhjggbdh.exe 34 PID 2556 wrote to memory of 2436 2556 bedhjggbdh.exe 36 PID 2556 wrote to memory of 2436 2556 bedhjggbdh.exe 36 PID 2556 wrote to memory of 2436 2556 bedhjggbdh.exe 36 PID 2556 wrote to memory of 2436 2556 bedhjggbdh.exe 36 PID 2556 wrote to memory of 3012 2556 bedhjggbdh.exe 38 PID 2556 wrote to memory of 3012 2556 bedhjggbdh.exe 38 PID 2556 wrote to memory of 3012 2556 bedhjggbdh.exe 38 PID 2556 wrote to memory of 3012 2556 bedhjggbdh.exe 38 PID 2556 wrote to memory of 864 2556 bedhjggbdh.exe 40 PID 2556 wrote to memory of 864 2556 bedhjggbdh.exe 40 PID 2556 wrote to memory of 864 2556 bedhjggbdh.exe 40 PID 2556 wrote to memory of 864 2556 bedhjggbdh.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\bedhjggbdh.exeC:\Users\Admin\AppData\Local\Temp\bedhjggbdh.exe 3,9,8,9,3,8,6,1,8,6,2 LEdBOzorKjEqGi1QTDpHRjw3LxgpTEJLT0ZPQ0NDNSoeLDtBSlFBPjwqMTA0KxgmQEE+PCgaLU1JRztSO05eQT47Ly0sLzQYKVI9TFRCSVdMT0Q3Z2xubjcmJ2pvbihDPU1JKktHRyo5Sk8mQ0xDRhgmQERDQkNDQjpuP0pAPSo0PD1KUz5NP1JEQTUsTjRHP0cXLDwrPG5panJsZRcsPCw8JSseLDsrNCopGi48LjsqKBgmQS03LCkaLU1JRztSO05eSExHUzg7UDoYKU9KSUJSOkxWQk1GQDUaLU1JRztSO05eRjtLQjQYJkJQP15NTEo6Fyc8VT1ZQkU+SkZFPTQdJ0JOS05dP0lHTlA9TDwoGi1RPzlFSFFJVFdPUEk0GCZTRTcxGClCUCg1FyxKT01MQ0tCVk88STtJTD1DSz4+PUxPRDcfJ0NRXElNRVFBR0Q1bnByXBgmTz1OVEpIR0s+V0xQPUxePDtXUDQqFyxAQ0M9UjsuFydAUFc+WEY7S0Y6VzxLO0xYSE5DQTReWGlrXx8nPk1URURGPjxZSEg3Ly0uJig0MCgwMS8sLjAtFyxIO1E5RkpCQ1dAS0tOQERGO3FpbVwdJ05IRT87LisrLjYvMTUvKx4sO0dOS0RJQDxZUkZEPTQ0Jyw2JywuLiwiLTcpLjkrKyg+RA==2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716349537.txt bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716349537.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716349537.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716349537.txt bios get version3⤵PID:2436
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716349537.txt bios get version3⤵PID:3012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 3683⤵
- Loads dropped DLL
- Program crash
PID:864
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
917KB
MD5e3dd5116016dd874802f8ce00b4f853e
SHA16a0f3c525c6b840540d83a74f282bb1fc367abfa
SHA2565917e2430171b9d3182980fb245e50ae2165e537d4e14b763cfb8e9e87af88f7
SHA512f8175f59390599bd53c055d4c6b349f27eaa7b8eabb57b84ecdab5c5095eadc66e751192bdba976e1bff8e18a07a033907da524037beed5d414ba913003a54b2
-
Filesize
163KB
MD52dc35ddcabcb2b24919b9afae4ec3091
SHA19eeed33c3abc656353a7ebd1c66af38cccadd939
SHA2566bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1
SHA5120ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901
-
Filesize
126KB
MD5691ca53c333f7121772a578c5ef52e03
SHA17b23651f694baf236804c4e53ed207bd61d73dea
SHA25667f8f5af2fd66ef7ec1dceace9b8f0fa4894dd4a2f19df181c93806700768be1
SHA5120b37221534648a9e9d0ba4b6aef978e99661fad140a79e0968330828ca5c671474aa0f25a5c7a1cad6136fdc36f2c2a8dd84a5d0b720eb971b0312dce95f91d7