Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 12:54
Static task
static1
Behavioral task
behavioral1
Sample
72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe
-
Size
44KB
-
MD5
72046c4ae25663e1036c7fa456d86ae5
-
SHA1
f03d8a72358676b0233d0d40f855169ab7c0ed28
-
SHA256
0e45674b77ce89b9f7fb84bfa4fd9efae1056e3b8e1619266e7eae4d693ba090
-
SHA512
5ee0218052682657764f40d65f41b21f95b186e643a20b5113575b388a26984271f96f1c9bdd1a0d073b636ae5d187228ce4f4920a591a23fcde6bcc562210e0
-
SSDEEP
768:GPGkubVwHyysrrrrrrrZMCAWI+8nCaVNV/IPZ:GObiyFrrrrrrrZvAxvbjVUZ
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x003600000001489f-3.dat acprotect -
Deletes itself 1 IoCs
pid Process 2552 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe -
resource yara_rule behavioral1/files/0x003600000001489f-3.dat upx behavioral1/memory/2432-5-0x0000000010000000-0x0000000010011000-memory.dmp upx behavioral1/memory/2432-7-0x0000000010000000-0x0000000010011000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\rfpz9wwyy2np.dll 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\fOnts\vztr58qstaca8y8j.Ttf 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5405A7B2-F3F5-446F-8715-2A4EF674E079} 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5405A7B2-F3F5-446F-8715-2A4EF674E079}\InprocServer32 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5405A7B2-F3F5-446F-8715-2A4EF674E079}\InprocServer32\ = "C:\\Windows\\SysWow64\\rfpz9wwyy2np.dll" 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5405A7B2-F3F5-446F-8715-2A4EF674E079}\InprocServer32\ThreadingModel = "Apartment" 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID\{5405A7B2-F3F5-446F-8715-2A4EF674E079}\InprocServer32 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2432 wrote to memory of 2552 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe 28 PID 2432 wrote to memory of 2552 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe 28 PID 2432 wrote to memory of 2552 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe 28 PID 2432 wrote to memory of 2552 2432 72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\72046c4ae25663e1036c7fa456d86ae5_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\72046C~1.EXE >> NUL2⤵
- Deletes itself
PID:2552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5cd0dfdc63359c1612837042b7719e02c
SHA1348edd8d2ef28693a650f972033b9c041f861a36
SHA25626b7ce7df65bfb1c2588a6acf5ddd819e319a924ec684233f91bb705f951eb1d
SHA5128850f8f41b7eff96002cee0208dd451e7367ca4651e50aad52b999bf41abf8e60b6406b8c2d2d4305790fb92ce9a077c478c7998b26eee90f2257507690ed43e