Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
26s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 16:35
Behavioral task
behavioral1
Sample
0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe
Resource
win7-20240611-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
18 signatures
150 seconds
General
-
Target
0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe
-
Size
723KB
-
MD5
0ec5f56552d447af0d63913d3803af6a
-
SHA1
fd034ed363556c2f5ae1b067b1b8c6754bc59286
-
SHA256
26141b1fba30a2e8c7fac7a3e313ceae8ab145dc37c09018cb71a9e9adde21bb
-
SHA512
f32cb6bd7eab7e8ffde12374e30136263922a52b93d48e6eba924c81084374e5afc194b6550e6976d2e10ffe8988741bfc173959ec0a4c6da2a50329c9b0800f
-
SSDEEP
12288:QFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0w/q9jJS:A3nbWmJVJFwSddIXvfhqbiaxvRxq9Y
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2668 attrib.exe 2660 attrib.exe -
Executes dropped EXE 1 IoCs
pid Process 2820 msdcsc.exe -
Loads dropped DLL 2 IoCs
pid Process 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2820 set thread context of 2804 2820 msdcsc.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeSecurityPrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeSystemtimePrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeBackupPrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeRestorePrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeShutdownPrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeDebugPrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeUndockPrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeManageVolumePrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeImpersonatePrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: 33 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: 34 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: 35 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2820 msdcsc.exe Token: SeSecurityPrivilege 2820 msdcsc.exe Token: SeTakeOwnershipPrivilege 2820 msdcsc.exe Token: SeLoadDriverPrivilege 2820 msdcsc.exe Token: SeSystemProfilePrivilege 2820 msdcsc.exe Token: SeSystemtimePrivilege 2820 msdcsc.exe Token: SeProfSingleProcessPrivilege 2820 msdcsc.exe Token: SeIncBasePriorityPrivilege 2820 msdcsc.exe Token: SeCreatePagefilePrivilege 2820 msdcsc.exe Token: SeBackupPrivilege 2820 msdcsc.exe Token: SeRestorePrivilege 2820 msdcsc.exe Token: SeShutdownPrivilege 2820 msdcsc.exe Token: SeDebugPrivilege 2820 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2820 msdcsc.exe Token: SeChangeNotifyPrivilege 2820 msdcsc.exe Token: SeRemoteShutdownPrivilege 2820 msdcsc.exe Token: SeUndockPrivilege 2820 msdcsc.exe Token: SeManageVolumePrivilege 2820 msdcsc.exe Token: SeImpersonatePrivilege 2820 msdcsc.exe Token: SeCreateGlobalPrivilege 2820 msdcsc.exe Token: 33 2820 msdcsc.exe Token: 34 2820 msdcsc.exe Token: 35 2820 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2804 iexplore.exe Token: SeSecurityPrivilege 2804 iexplore.exe Token: SeTakeOwnershipPrivilege 2804 iexplore.exe Token: SeLoadDriverPrivilege 2804 iexplore.exe Token: SeSystemProfilePrivilege 2804 iexplore.exe Token: SeSystemtimePrivilege 2804 iexplore.exe Token: SeProfSingleProcessPrivilege 2804 iexplore.exe Token: SeIncBasePriorityPrivilege 2804 iexplore.exe Token: SeCreatePagefilePrivilege 2804 iexplore.exe Token: SeBackupPrivilege 2804 iexplore.exe Token: SeRestorePrivilege 2804 iexplore.exe Token: SeShutdownPrivilege 2804 iexplore.exe Token: SeDebugPrivilege 2804 iexplore.exe Token: SeSystemEnvironmentPrivilege 2804 iexplore.exe Token: SeChangeNotifyPrivilege 2804 iexplore.exe Token: SeRemoteShutdownPrivilege 2804 iexplore.exe Token: SeUndockPrivilege 2804 iexplore.exe Token: SeManageVolumePrivilege 2804 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2804 iexplore.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2908 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe 28 PID 2172 wrote to memory of 2908 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe 28 PID 2172 wrote to memory of 2908 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe 28 PID 2172 wrote to memory of 2908 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe 28 PID 2172 wrote to memory of 2748 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe 30 PID 2172 wrote to memory of 2748 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe 30 PID 2172 wrote to memory of 2748 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe 30 PID 2172 wrote to memory of 2748 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe 30 PID 2748 wrote to memory of 2668 2748 cmd.exe 33 PID 2748 wrote to memory of 2668 2748 cmd.exe 33 PID 2748 wrote to memory of 2668 2748 cmd.exe 33 PID 2748 wrote to memory of 2668 2748 cmd.exe 33 PID 2908 wrote to memory of 2660 2908 cmd.exe 32 PID 2908 wrote to memory of 2660 2908 cmd.exe 32 PID 2908 wrote to memory of 2660 2908 cmd.exe 32 PID 2908 wrote to memory of 2660 2908 cmd.exe 32 PID 2172 wrote to memory of 2820 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe 34 PID 2172 wrote to memory of 2820 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe 34 PID 2172 wrote to memory of 2820 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe 34 PID 2172 wrote to memory of 2820 2172 0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe 34 PID 2820 wrote to memory of 2804 2820 msdcsc.exe 35 PID 2820 wrote to memory of 2804 2820 msdcsc.exe 35 PID 2820 wrote to memory of 2804 2820 msdcsc.exe 35 PID 2820 wrote to memory of 2804 2820 msdcsc.exe 35 PID 2820 wrote to memory of 2804 2820 msdcsc.exe 35 PID 2820 wrote to memory of 2804 2820 msdcsc.exe 35 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2668 attrib.exe 2660 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0ec5f56552d447af0d63913d3803af6a_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2660
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2668
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2820 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2804
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101B
MD50a8555b45c92c422601e2cb03030fb95
SHA1f193829935017f26fa2b18d010e8b2976eabfbef
SHA25665869b52b64dc15a724eec22ba25c4ef17e01db48b125b96558ffe3c49aaba59
SHA5123a3c06140c4efabd63517685c13675eee91813aaf89dfd5961e60543510b761f3d1e308bcfa2c1660c78b96de033c438f2135962be5b6e30db023c784bbc88f8
-
Filesize
50B
MD5b774ae3fb1da087e1f83b4f7b2060e5a
SHA197eb9be49ac3af9c851c9e1e84e32bfd53e325a8
SHA256adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b
SHA512f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701
-
Filesize
723KB
MD50ec5f56552d447af0d63913d3803af6a
SHA1fd034ed363556c2f5ae1b067b1b8c6754bc59286
SHA25626141b1fba30a2e8c7fac7a3e313ceae8ab145dc37c09018cb71a9e9adde21bb
SHA512f32cb6bd7eab7e8ffde12374e30136263922a52b93d48e6eba924c81084374e5afc194b6550e6976d2e10ffe8988741bfc173959ec0a4c6da2a50329c9b0800f