Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 08:08
Static task
static1
Behavioral task
behavioral1
Sample
9ffa193108a51cbc901ffb13a07d70a8_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
9ffa193108a51cbc901ffb13a07d70a8_JaffaCakes118.exe
-
Size
271KB
-
MD5
9ffa193108a51cbc901ffb13a07d70a8
-
SHA1
7e74cc4561d7b6acd8a5f82e8ed0d0a71813b434
-
SHA256
27721c21711b0a8f2ae1d1e1187cf7f61db114255c824d4f26609f291ef35f49
-
SHA512
99d0d7cf9e979e6c2ba3eaa9f0d12b1f665feca0eaf07d18316e3ff25acf0f372717eb648fd734fa766de83b0a38662275e68a01eb91bcc110ba7d733818c1d4
-
SSDEEP
6144:ocSjxuf1/mO100DbkOiT+ZKyA8pCnjNKWA3OzA7S2XQjQhQwD:+oloWklsRWjHA3frqJwD
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wu995my5337k.exe Temprihanna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wu995my5337k.exe\DisableExceptionChainValidation Temprihanna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "afng.exe" explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 2532 Temprihanna.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Importan Updatre 3.0 = "C:\\ProgramData\\Importan Updatre 3.0\\wu995my5337k.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Importan Updatre 3.0 = "\"C:\\ProgramData\\Importan Updatre 3.0\\wu995my5337k.exe\"" explorer.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Temprihanna.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 2532 Temprihanna.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Temprihanna.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Temprihanna.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 2532 Temprihanna.exe 2532 Temprihanna.exe 2568 explorer.exe 2568 explorer.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 756 9ffa193108a51cbc901ffb13a07d70a8_JaffaCakes118.exe Token: 33 756 9ffa193108a51cbc901ffb13a07d70a8_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 756 9ffa193108a51cbc901ffb13a07d70a8_JaffaCakes118.exe Token: SeDebugPrivilege 2532 Temprihanna.exe Token: SeRestorePrivilege 2532 Temprihanna.exe Token: SeBackupPrivilege 2532 Temprihanna.exe Token: SeLoadDriverPrivilege 2532 Temprihanna.exe Token: SeCreatePagefilePrivilege 2532 Temprihanna.exe Token: SeShutdownPrivilege 2532 Temprihanna.exe Token: SeTakeOwnershipPrivilege 2532 Temprihanna.exe Token: SeChangeNotifyPrivilege 2532 Temprihanna.exe Token: SeCreateTokenPrivilege 2532 Temprihanna.exe Token: SeMachineAccountPrivilege 2532 Temprihanna.exe Token: SeSecurityPrivilege 2532 Temprihanna.exe Token: SeAssignPrimaryTokenPrivilege 2532 Temprihanna.exe Token: SeCreateGlobalPrivilege 2532 Temprihanna.exe Token: 33 2532 Temprihanna.exe Token: SeDebugPrivilege 2568 explorer.exe Token: SeRestorePrivilege 2568 explorer.exe Token: SeBackupPrivilege 2568 explorer.exe Token: SeLoadDriverPrivilege 2568 explorer.exe Token: SeCreatePagefilePrivilege 2568 explorer.exe Token: SeShutdownPrivilege 2568 explorer.exe Token: SeTakeOwnershipPrivilege 2568 explorer.exe Token: SeChangeNotifyPrivilege 2568 explorer.exe Token: SeCreateTokenPrivilege 2568 explorer.exe Token: SeMachineAccountPrivilege 2568 explorer.exe Token: SeSecurityPrivilege 2568 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2568 explorer.exe Token: SeCreateGlobalPrivilege 2568 explorer.exe Token: 33 2568 explorer.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 756 wrote to memory of 2532 756 9ffa193108a51cbc901ffb13a07d70a8_JaffaCakes118.exe 28 PID 756 wrote to memory of 2532 756 9ffa193108a51cbc901ffb13a07d70a8_JaffaCakes118.exe 28 PID 756 wrote to memory of 2532 756 9ffa193108a51cbc901ffb13a07d70a8_JaffaCakes118.exe 28 PID 756 wrote to memory of 2532 756 9ffa193108a51cbc901ffb13a07d70a8_JaffaCakes118.exe 28 PID 2532 wrote to memory of 2568 2532 Temprihanna.exe 29 PID 2532 wrote to memory of 2568 2532 Temprihanna.exe 29 PID 2532 wrote to memory of 2568 2532 Temprihanna.exe 29 PID 2532 wrote to memory of 2568 2532 Temprihanna.exe 29 PID 2532 wrote to memory of 2568 2532 Temprihanna.exe 29 PID 2532 wrote to memory of 2568 2532 Temprihanna.exe 29 PID 2532 wrote to memory of 2568 2532 Temprihanna.exe 29 PID 2568 wrote to memory of 1168 2568 explorer.exe 20 PID 2568 wrote to memory of 1168 2568 explorer.exe 20 PID 2568 wrote to memory of 1168 2568 explorer.exe 20 PID 2568 wrote to memory of 1168 2568 explorer.exe 20 PID 2568 wrote to memory of 1168 2568 explorer.exe 20 PID 2568 wrote to memory of 1168 2568 explorer.exe 20 PID 2568 wrote to memory of 1196 2568 explorer.exe 21 PID 2568 wrote to memory of 1196 2568 explorer.exe 21 PID 2568 wrote to memory of 1196 2568 explorer.exe 21 PID 2568 wrote to memory of 1196 2568 explorer.exe 21 PID 2568 wrote to memory of 1196 2568 explorer.exe 21 PID 2568 wrote to memory of 1196 2568 explorer.exe 21
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\9ffa193108a51cbc901ffb13a07d70a8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9ffa193108a51cbc901ffb13a07d70a8_JaffaCakes118.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temprihanna.exe"C:\Users\Admin\AppData\Local\Temprihanna.exe"3⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD5852c69a76a091643ee58ff2b038c540a
SHA10f06f7191746fa1b788b25b63e907f0b5655c29a
SHA256a7094c7edfced8a28eee60330c270f8d9c5ab34d663aa565ac6591840a7b742a
SHA512d00f3166487ff1762a828fbdf3c20788999747efb23b72fb0d080d031d38929b6ea392af7342aac53c577f07dc1e17e1bdee40b7e3df845324275d6d3b316c8b