Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20/06/2024, 03:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0298c3946a9b87400fd7d4cf381d68f6_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
0298c3946a9b87400fd7d4cf381d68f6_JaffaCakes118.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
0298c3946a9b87400fd7d4cf381d68f6_JaffaCakes118.exe
-
Size
357KB
-
MD5
0298c3946a9b87400fd7d4cf381d68f6
-
SHA1
a369820d21f8959044a73961979a274ce3314b36
-
SHA256
977990f04007cd758cbff40fb5aa66ca546ed1ed4f8602b640205b5162399b1b
-
SHA512
f80d1a30ca92dac7f1bc177374f6abfbf9d69c2490ad24ec140464782485f7ec438666cbd09e47aaebffe40bd1113bb9d97d2f862cecda3b2f6a222b1f1e37c2
-
SSDEEP
6144:E84mQm9nFK7Ax+LYBrtSRbIqz+WSrLGj+wvjG+qhloMHDjFN2LuPbNNi04w:MoMAxQ1bH8azq0SFN2SBw4
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6A5B00014973000B88E7B4EB2331.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6A5B00014973000B88E7B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6A5B00014973000B88E7B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6A5B00014973000B88E7B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6A5B00014973000B88E7B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6A5B00014973000B88E7B4EB2331.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 1840 043A6A5B00014973000B88E7B4EB2331.exe -
Executes dropped EXE 1 IoCs
pid Process 1840 043A6A5B00014973000B88E7B4EB2331.exe -
Loads dropped DLL 2 IoCs
pid Process 1952 0298c3946a9b87400fd7d4cf381d68f6_JaffaCakes118.exe 1952 0298c3946a9b87400fd7d4cf381d68f6_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6A5B00014973000B88E7B4EB2331.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc 043A6A5B00014973000B88E7B4EB2331.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc 043A6A5B00014973000B88E7B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6A5B00014973000B88E7B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6A5B00014973000B88E7B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6A5B00014973000B88E7B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6A5B00014973000B88E7B4EB2331.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6A5B00014973000B88E7B4EB2331.exe -
Modifies registry class 22 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\043A6\shell\runas 043A6A5B00014973000B88E7B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe 043A6A5B00014973000B88E7B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\%s 043A6A5B00014973000B88E7B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\%s\ = "043A6" 043A6A5B00014973000B88E7B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\043A6\ = "Application" 043A6A5B00014973000B88E7B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\043A6\shell 043A6A5B00014973000B88E7B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\043A6\shell\start\command 043A6A5B00014973000B88E7B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\043A6\shell\start 043A6A5B00014973000B88E7B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\043A6\shell\runas\command\ = "\"%1\" %*" 043A6A5B00014973000B88E7B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\043A6\shell\runas\command\IsolatedCommand = "\"%1\" %*" 043A6A5B00014973000B88E7B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\043A6\shell\open 043A6A5B00014973000B88E7B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\043A6\shell\open\command\IsolatedCommand = "\"%1\" %*" 043A6A5B00014973000B88E7B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\043A6\shell\start\command\IsolatedCommand = "\"%1\" %*" 043A6A5B00014973000B88E7B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\043A6\shell\start\command\ = "\"%1\" %*" 043A6A5B00014973000B88E7B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\ = "043A6" 043A6A5B00014973000B88E7B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\043A6 043A6A5B00014973000B88E7B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\043A6\Content Type = "application/x-msdownload" 043A6A5B00014973000B88E7B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\043A6\DefaultIcon 043A6A5B00014973000B88E7B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\043A6\DefaultIcon\ = "%1" 043A6A5B00014973000B88E7B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\043A6\shell\open\command 043A6A5B00014973000B88E7B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\043A6\shell\open\command\ = "\"C:\\ProgramData\\043A6A5B00014973000B88E7B4EB2331\\043A6A5B00014973000B88E7B4EB2331.exe\" -s \"%1\" %*" 043A6A5B00014973000B88E7B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\043A6\shell\runas\command 043A6A5B00014973000B88E7B4EB2331.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1952 0298c3946a9b87400fd7d4cf381d68f6_JaffaCakes118.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1840 043A6A5B00014973000B88E7B4EB2331.exe 1840 043A6A5B00014973000B88E7B4EB2331.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1952 wrote to memory of 1840 1952 0298c3946a9b87400fd7d4cf381d68f6_JaffaCakes118.exe 28 PID 1952 wrote to memory of 1840 1952 0298c3946a9b87400fd7d4cf381d68f6_JaffaCakes118.exe 28 PID 1952 wrote to memory of 1840 1952 0298c3946a9b87400fd7d4cf381d68f6_JaffaCakes118.exe 28 PID 1952 wrote to memory of 1840 1952 0298c3946a9b87400fd7d4cf381d68f6_JaffaCakes118.exe 28 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6A5B00014973000B88E7B4EB2331.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0298c3946a9b87400fd7d4cf381d68f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0298c3946a9b87400fd7d4cf381d68f6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\ProgramData\043A6A5B00014973000B88E7B4EB2331\043A6A5B00014973000B88E7B4EB2331.exe"C:\ProgramData\043A6A5B00014973000B88E7B4EB2331\043A6A5B00014973000B88E7B4EB2331.exe" -d "C:\Users\Admin\AppData\Local\Temp\0298c3946a9b87400fd7d4cf381d68f6_JaffaCakes118.exe"2⤵
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328B
MD589a8eb36606b45228ebdf58ee09d26aa
SHA1cb6d743ee0c53647ca647e865823ab93de72e571
SHA2562006ad6213e6f7d138914c1fc3a1787792cb51a4601a4c27241e17e1ade8f198
SHA512f80178d52a81cb18e6ed1f247a6280bf98867884d9f9f3fb8a026f999099975730a6f10477e64d86f55361f8dd2d960c3cc356ea3854d3e6b193fa3aea1b00fc
-
Filesize
357KB
MD50298c3946a9b87400fd7d4cf381d68f6
SHA1a369820d21f8959044a73961979a274ce3314b36
SHA256977990f04007cd758cbff40fb5aa66ca546ed1ed4f8602b640205b5162399b1b
SHA512f80d1a30ca92dac7f1bc177374f6abfbf9d69c2490ad24ec140464782485f7ec438666cbd09e47aaebffe40bd1113bb9d97d2f862cecda3b2f6a222b1f1e37c2