Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30/05/2024, 01:37
Static task
static1
Behavioral task
behavioral1
Sample
82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe
-
Size
369KB
-
MD5
82aa9e8a427a68b553c11638d5913936
-
SHA1
72f06ec1d34a390572c1103f59221a2705b5dd81
-
SHA256
cc1b599b0b07ac5d514a67d18193db0e8644375026fd2f73d5c173586a7be724
-
SHA512
2481e1a07af7fff4f3660b5e4b74255a272347c976852c5d2bc0e3321d941a65d312a5431265632714136c32ce62368765c295d5c6cadad129d5574038098de9
-
SSDEEP
6144:fl4X2seg8dDGkALc04T6o4/qN6FoINK6UZeTP5/0NVIMhgei2Ct:fSXSDucd42OtygP50VIMhgei2C
Malware Config
Extracted
lokibot
http://89.34.237.212/annonymous/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.l9ZwnHQMyfPBOfEt.lnk 76e5wde677gij7dr8i.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe 745y6et5ge44u.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe 745y6et5ge44u.exe -
Executes dropped EXE 2 IoCs
pid Process 1900 76e5wde677gij7dr8i.exe 2044 76e5wde677gij7dr8i.exe -
Loads dropped DLL 1 IoCs
pid Process 1900 76e5wde677gij7dr8i.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1900 set thread context of 2044 1900 76e5wde677gij7dr8i.exe 32 -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new 745y6et5ge44u.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new 745y6et5ge44u.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new 76e5wde677gij7dr8i.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new 76e5wde677gij7dr8i.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new 82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new 82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2820 745y6et5ge44u.exe 1900 76e5wde677gij7dr8i.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2924 82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2924 82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe Token: SeDebugPrivilege 2820 745y6et5ge44u.exe Token: SeDebugPrivilege 1900 76e5wde677gij7dr8i.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2820 2924 82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe 28 PID 2924 wrote to memory of 2820 2924 82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe 28 PID 2924 wrote to memory of 2820 2924 82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe 28 PID 2924 wrote to memory of 2820 2924 82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe 28 PID 2820 wrote to memory of 2416 2820 745y6et5ge44u.exe 29 PID 2820 wrote to memory of 2416 2820 745y6et5ge44u.exe 29 PID 2820 wrote to memory of 2416 2820 745y6et5ge44u.exe 29 PID 2820 wrote to memory of 2416 2820 745y6et5ge44u.exe 29 PID 2376 wrote to memory of 1900 2376 explorer.exe 31 PID 2376 wrote to memory of 1900 2376 explorer.exe 31 PID 2376 wrote to memory of 1900 2376 explorer.exe 31 PID 2376 wrote to memory of 1900 2376 explorer.exe 31 PID 1900 wrote to memory of 2044 1900 76e5wde677gij7dr8i.exe 32 PID 1900 wrote to memory of 2044 1900 76e5wde677gij7dr8i.exe 32 PID 1900 wrote to memory of 2044 1900 76e5wde677gij7dr8i.exe 32 PID 1900 wrote to memory of 2044 1900 76e5wde677gij7dr8i.exe 32 PID 1900 wrote to memory of 2044 1900 76e5wde677gij7dr8i.exe 32 PID 1900 wrote to memory of 2044 1900 76e5wde677gij7dr8i.exe 32 PID 1900 wrote to memory of 2044 1900 76e5wde677gij7dr8i.exe 32 PID 1900 wrote to memory of 2044 1900 76e5wde677gij7dr8i.exe 32 PID 1900 wrote to memory of 2044 1900 76e5wde677gij7dr8i.exe 32 PID 1900 wrote to memory of 2044 1900 76e5wde677gij7dr8i.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\82aa9e8a427a68b553c11638d5913936_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\745y6et5ge44u.exe"C:\Users\Admin\AppData\Local\Temp\745y6et5ge44u.exe"2⤵
- Drops startup file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe3⤵PID:2416
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76e5wde677gij7dr8i.exe"3⤵
- Executes dropped EXE
PID:2044
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
369KB
MD582aa9e8a427a68b553c11638d5913936
SHA172f06ec1d34a390572c1103f59221a2705b5dd81
SHA256cc1b599b0b07ac5d514a67d18193db0e8644375026fd2f73d5c173586a7be724
SHA5122481e1a07af7fff4f3660b5e4b74255a272347c976852c5d2bc0e3321d941a65d312a5431265632714136c32ce62368765c295d5c6cadad129d5574038098de9
-
Filesize
872B
MD58abec608f7a5322b69bec3c0f55c6756
SHA18304aa6938c876026414377b878e69d00016e0fe
SHA256fb5677ec5190c40603e6b373d10b5d0779d8c88b6583f13167b19b00f72ad0db
SHA5129bbab384c7d5e2341a3a115575c8ada6a4992e197e0d8fc25794c090cd79f33ef024c8adef73568f5978408493618eaa565ea34dfd2880600a18492d052f3390
-
Filesize
412B
MD502245097e104c1150c51103016a8f790
SHA11308e418c0c608c2dc9aa97b247f7f78655ed080
SHA256c391d8ad8e873938bbd4e58f471b7f75dbbead8f521ccabc1f9c884bf2d777e3
SHA51213efb14a9b8b952131a7c5a9e40be7eecc350aca018b4bc50ec0e5dffd075a968cc6d9d5740280b1bb027efe80212a6ebd5b376c3026be8132cce30dbba7095a
-
Filesize
478B
MD5abec014e9a3d73a0cb0e75b2be23b46d
SHA1c66def81c618918c3526f602cfd98ebd89a2eb31
SHA2565b9f5e55017176a5066e6472b8161c61bbb6ae06f0db8c3b5736e66b02c637d4
SHA512f1b9d8a1b5bea929b7e43e4fd2a781d2e6b00ae6e19de32e5700b3fa5db35ca3e21861a7b6e2f95c50258783ec7fee49a040242a4f70a559f577144565070752