Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 00:44
Behavioral task
behavioral1
Sample
05d7368f45843a53ea250260a936020b_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
05d7368f45843a53ea250260a936020b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
05d7368f45843a53ea250260a936020b_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
05d7368f45843a53ea250260a936020b
-
SHA1
5eefa152c6e9cf9131694ac445c20bb1dfdaffeb
-
SHA256
ceffd78a821d7cc8108d59cd70b2c4ac0d96602f0cf32269679d22b54718a8fd
-
SHA512
6d12764137824a371967c3c7df8f02c48f05fc78fa45acaa11991b87ed92eed6061248108320ab12f694bdd6e2d67357dbbf5ef6bc96fbc6f4e8c9cc1c0287f2
-
SSDEEP
24576:Ktcl2DG/Ix17oS+4OmwS4Luiyk9tNp4nY/kaGY+gF2tYSuaCZvmWR20kn:KBin4NwSLRk/4Y/jGYctnCZuFbn
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 1976 05d7368f45843a53ea250260a936020b_JaffaCakes118.exe 1976 05d7368f45843a53ea250260a936020b_JaffaCakes118.exe 1976 05d7368f45843a53ea250260a936020b_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSNShell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe" 05d7368f45843a53ea250260a936020b_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSNShell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSNShell.exe" 05d7368f45843a53ea250260a936020b_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\msnshell.UNinstall.exe 05d7368f45843a53ea250260a936020b_JaffaCakes118.exe File opened for modification C:\Windows\msnshell.UNinstall.exe 05d7368f45843a53ea250260a936020b_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1976 05d7368f45843a53ea250260a936020b_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1976 05d7368f45843a53ea250260a936020b_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5aa5a931a734ad85b7c149b04dc018350
SHA1510b5e19914944a012f14295137f056012213f22
SHA256187ee03ff858418849fc4dedc1ae6ad5a8d1778a3da6a26fea1a44517c9ecb34
SHA512f165f6292643e695831fabc9efc1c2f3855d294a3ad54ef745eeece6298d4d5b52210a3950c751b26c933abc2abd48d3ef504a596a9e932f69901d73187731f1
-
Filesize
6KB
MD545372c4acb71f52149864766ed8b21ff
SHA148a1519c789891c1295cdc7c58696a1b8f5907af
SHA2566a0fd22eb05670716627d24db26e0efe39a8f6802d302bdfa187a0d627474a7a
SHA5129c2cdf48f05c220dd679c415b0f20cd148450cebbba926fdf22687d7ecddb73f16077cdc1cf76088e9c20739e46f43cff841b080bf90bb24593df0ddf0735522
-
Filesize
38B
MD56155652e608cfbcf3a6c23ed9b7ccd21
SHA196e6110dd1f7991bfc4f4d4b967e36dc14e1858d
SHA256bff01dd0bbe7d995c5ba9f90027c08f2deb8f81dfa8b5e9628208d015cb2d872
SHA512ad101c5cd7d2d2443207ff282ae0d6f240e07f1b32873ff2d710d85df90119c9be1a7054a7bc6a687547190b38ee45ef15443571acb12272d0c5f3d6275dec79
-
Filesize
1.9MB
MD5e5cb5db431e05f9cbb240dde14d047ca
SHA14b4534ddbd0342feebf0b5dbb4cd0aae5f8b2468
SHA256124bd8133828e88e461b4423966cd83d68427d526e80b38a0a20dc13db343e73
SHA512189ae327bed1d1b9a2f5a6f5b49e723b385f64c018bcf490aa30fd91ccd836b5087253df92d1fb9f4ba09802d27da2ccba8fe24c67528bd6f0b3c7479aece4dc