Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14/06/2024, 09:00
Static task
static1
Behavioral task
behavioral1
Sample
a8db020bc02e6fbcaac5aeb301cdc38e_JaffaCakes118.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a8db020bc02e6fbcaac5aeb301cdc38e_JaffaCakes118.vbs
Resource
win10v2004-20240226-en
General
-
Target
a8db020bc02e6fbcaac5aeb301cdc38e_JaffaCakes118.vbs
-
Size
497KB
-
MD5
a8db020bc02e6fbcaac5aeb301cdc38e
-
SHA1
db5088a363771d518572fdf0e9b4c62f70314251
-
SHA256
1816a9023320b892c54fc1abdc4ba3177ae9ecee4f145efa71d290b357eb1061
-
SHA512
50eb95130a192ef4c622007cf6075bbbdcddd80b81298136c9f1ccaecf7e2b8f71474e3d2a5de178e81b9a76a54edb1d65a7951992db4c240590f50ed88e7a9b
-
SSDEEP
384:WRWRQ2wCLNka39k5/8xd9f3K2qIVT4CzztUakZN7llfR:lRMo39k5kxvf3K2LVrtUnR
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2152 MSBuild.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 108 set thread context of 2152 108 powershell.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2544 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 108 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 108 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2044 wrote to memory of 2544 2044 WScript.exe 28 PID 2044 wrote to memory of 2544 2044 WScript.exe 28 PID 2044 wrote to memory of 2544 2044 WScript.exe 28 PID 1696 wrote to memory of 2588 1696 taskeng.exe 33 PID 1696 wrote to memory of 2588 1696 taskeng.exe 33 PID 1696 wrote to memory of 2588 1696 taskeng.exe 33 PID 2588 wrote to memory of 108 2588 WScript.exe 35 PID 2588 wrote to memory of 108 2588 WScript.exe 35 PID 2588 wrote to memory of 108 2588 WScript.exe 35 PID 108 wrote to memory of 2152 108 powershell.exe 37 PID 108 wrote to memory of 2152 108 powershell.exe 37 PID 108 wrote to memory of 2152 108 powershell.exe 37 PID 108 wrote to memory of 2152 108 powershell.exe 37 PID 108 wrote to memory of 2152 108 powershell.exe 37 PID 108 wrote to memory of 2152 108 powershell.exe 37 PID 108 wrote to memory of 2152 108 powershell.exe 37 PID 108 wrote to memory of 2152 108 powershell.exe 37 PID 108 wrote to memory of 2152 108 powershell.exe 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8db020bc02e6fbcaac5aeb301cdc38e_JaffaCakes118.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn jamqzjc8fk /tr C:\Users\Admin\AppData\Roaming\ym66w.vbs2⤵
- Creates scheduled task(s)
PID:2544
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {64FA25FF-B908-41EA-AF92-DB8DD78511E9} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\ym66w.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Users\Admin\AppData\Roaming\MSBuild.exe"C:\Users\Admin\AppData\Roaming\MSBuild.exe"4⤵
- Executes dropped EXE
PID:2152
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD51f13cd7f1ecb2a7bcc1ff5e287b7eb2e
SHA18a0cdee8b4dc946a18f5063f2049ab992ee628df
SHA2566adc88fc0a0e108851909618442c03f57cdfc20f6db4ee88b84c0caf420f991f
SHA512b183ccae47db12902fb848fa56fe219992aaaccbf9194e6e9681b63ad1d931528ad4e3f26aa3a5e6182ac51a01f34629034a4c1e3fad510070cf5d682df741a4
-
Filesize
3KB
MD5faa709a80f2a25ec364bc2c50cc69b64
SHA1a8e6d0b246c269837e770e32479480afad642fa9
SHA2569125b2874508060b55a10f0f6df7ecc37c8a5546ec6403cf76cdc8a04cdfaa37
SHA51291c765733bb6c39517b571a010374681cf6e74de9931a9aa1a7413ccec70706f00bf63aadeebde4f74ccf9ad247f7634844eef631f10b463fd9b3eb13cccd2ce