Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 14:24
Static task
static1
Behavioral task
behavioral1
Sample
0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
-
Size
407KB
-
MD5
0e678cc7200d5237b10aed249321fde1
-
SHA1
3652ab54bd034fdc49bcfd5f5ecdc65ec0c4c127
-
SHA256
c4ddc309d779a97ee858a7a2d51b00d1b4e6520936ba286ce5d9df95568788ea
-
SHA512
fa448066c5cf2f153c23b2ac955d69d673b64a94c90cbc2f4433b0b47cacbde70d3d8ba9d9214f016cb13e5ebd0b91ef6c7faa49b2ba30b4f5aad7c7c446a78b
-
SSDEEP
12288:ug0Cq6x4aIhpJIew5rzWZfb6YkOVYGXKmRjVNW:uyfsJezoxkOVim
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\ProgramData\\bG20302KnHeE20302\\bG20302KnHeE20302.exe" 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 1532 bG20302KnHeE20302.exe -
Executes dropped EXE 1 IoCs
pid Process 1532 bG20302KnHeE20302.exe -
Loads dropped DLL 2 IoCs
pid Process 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/616-1-0x0000000000400000-0x00000000004CC000-memory.dmp upx behavioral1/memory/616-80-0x0000000000400000-0x00000000004CC000-memory.dmp upx behavioral1/memory/616-101-0x0000000000400000-0x00000000004CC000-memory.dmp upx behavioral1/memory/1532-104-0x0000000000400000-0x00000000004CC000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\bG20302KnHeE20302 = "C:\\ProgramData\\bG20302KnHeE20302\\bG20302KnHeE20302.exe" bG20302KnHeE20302.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe Token: SeDebugPrivilege 1532 bG20302KnHeE20302.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 616 wrote to memory of 1532 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 32 PID 616 wrote to memory of 1532 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 32 PID 616 wrote to memory of 1532 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 32 PID 616 wrote to memory of 1532 616 0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:616 -
C:\ProgramData\bG20302KnHeE20302\bG20302KnHeE20302.exe"C:\ProgramData\bG20302KnHeE20302\bG20302KnHeE20302.exe" "C:\Users\Admin\AppData\Local\Temp\0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD52bbc0afc468ef985ee861b9af300f4d5
SHA1f08fc4d7e6daf7b2c51b7fee199e3582a19dbffc
SHA25618cd868dee81ff4b25014c2902cb871abcf2c8d57f7192ed0eec831f497034be
SHA512c19662cc9d7cf5a124ab8df3c9900ae59c621e533b1b56a75060acf64b229326787a883a12a67f52a9f2498c224af51e37d17113d8c79a30030d75b1a3860888
-
Filesize
407KB
MD5d50d8cad282b9ee92221b52ade6f802d
SHA1e2725d8a983999328f78e3fa4c870bb1a8503cc8
SHA256286163a2c99144bcb32789ae40bfd54e05fe74f1faa4e8b2e7d595710b707e22
SHA51232352f94f03127457803f7d2961fa535e0d5500300dc5f06950e18db60ea7d71113434a3c8724cfd2e00508653808717b8ca33bb44fddc2ecd07d46d65ea2deb