Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
26/06/2024, 22:19
Static task
static1
Behavioral task
behavioral1
Sample
13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe
-
Size
239KB
-
MD5
13ad479f43406e00dd2eb7599be31527
-
SHA1
5aaf553aee6b73fe0f46f74987101647b002706a
-
SHA256
0d1dc5f2f30c132fa08fb762029057458f71c115c71eae8184e45a87e2607353
-
SHA512
44fcbc5081c0dde42828c2a6fcc4fb79a936253a6788de4809e98502df82c75dbd48ae315c753461b194bf1f98986fa9b6fea89ca0c6ae59bb3691fa1da303b2
-
SSDEEP
3072:A7mXb6igvd+2s7OBRgaPee7Ly2+XysjmyzSu8GSp0G2Rc+jUoC+:Amb6igk1O/gpe7GP5jSRucY
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\scss.exe = "C:\\Windows\\scss.exe:*:Enabled:Microsoft Windows Update Platform" scss.exe -
Deletes itself 1 IoCs
pid Process 2612 cmd.exe -
Executes dropped EXE 4 IoCs
pid Process 3052 svcchost.exe 2116 exploree.exe 2668 hsl.exe 2572 scss.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend REG.exe -
resource yara_rule behavioral1/memory/3052-25-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/3052-23-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/3052-75-0x0000000000400000-0x000000000041E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SDKhlpUser = "C:\\Windows\\svcchost.exe" svcchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\systme = "C:\\WINDOWS\\system32\\scss.exe" scss.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\exploree.exe 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe File created C:\Windows\hsl.exe 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe File created C:\Windows\scss.exe 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe File created C:\Windows\svcchost.exe 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1752 2668 WerFault.exe 30 -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2616 REG.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 3052 svcchost.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3052 svcchost.exe 2620 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2620 taskmgr.exe Token: SeDebugPrivilege 3052 svcchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3052 svcchost.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe 2620 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3052 svcchost.exe -
Suspicious use of UnmapMainImage 5 IoCs
pid Process 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 3052 svcchost.exe 2116 exploree.exe 2572 scss.exe 2668 hsl.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2736 wrote to memory of 3052 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 28 PID 2736 wrote to memory of 3052 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 28 PID 2736 wrote to memory of 3052 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 28 PID 2736 wrote to memory of 3052 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 28 PID 2736 wrote to memory of 2116 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 29 PID 2736 wrote to memory of 2116 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 29 PID 2736 wrote to memory of 2116 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 29 PID 2736 wrote to memory of 2116 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 29 PID 2736 wrote to memory of 2668 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 30 PID 2736 wrote to memory of 2668 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 30 PID 2736 wrote to memory of 2668 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 30 PID 2736 wrote to memory of 2668 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 30 PID 2736 wrote to memory of 2572 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 31 PID 2736 wrote to memory of 2572 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 31 PID 2736 wrote to memory of 2572 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 31 PID 2736 wrote to memory of 2572 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 31 PID 3052 wrote to memory of 2620 3052 svcchost.exe 32 PID 3052 wrote to memory of 2620 3052 svcchost.exe 32 PID 3052 wrote to memory of 2620 3052 svcchost.exe 32 PID 3052 wrote to memory of 2620 3052 svcchost.exe 32 PID 3052 wrote to memory of 2616 3052 svcchost.exe 33 PID 3052 wrote to memory of 2616 3052 svcchost.exe 33 PID 3052 wrote to memory of 2616 3052 svcchost.exe 33 PID 3052 wrote to memory of 2616 3052 svcchost.exe 33 PID 2736 wrote to memory of 2612 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 35 PID 2736 wrote to memory of 2612 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 35 PID 2736 wrote to memory of 2612 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 35 PID 2736 wrote to memory of 2612 2736 13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe 35 PID 2612 wrote to memory of 2896 2612 cmd.exe 37 PID 2612 wrote to memory of 2896 2612 cmd.exe 37 PID 2612 wrote to memory of 2896 2612 cmd.exe 37 PID 2612 wrote to memory of 2896 2612 cmd.exe 37 PID 2668 wrote to memory of 1752 2668 hsl.exe 38 PID 2668 wrote to memory of 1752 2668 hsl.exe 38 PID 2668 wrote to memory of 1752 2668 hsl.exe 38 PID 2668 wrote to memory of 1752 2668 hsl.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\13ad479f43406e00dd2eb7599be31527_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\svcchost.exe"C:\Windows\svcchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2620
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Impair Defenses: Safe Mode Boot
- Modifies registry key
PID:2616
-
-
-
C:\Windows\exploree.exe"C:\Windows\exploree.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2116
-
-
C:\Windows\hsl.exe"C:\Windows\hsl.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1323⤵
- Program crash
PID:1752
-
-
-
C:\Windows\scss.exe"C:\Windows\scss.exe"2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of UnmapMainImage
PID:2572
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\154.bat" "2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\chcp.comchcp 12513⤵PID:2896
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
166B
MD5ca936c1244fd78ec8a6b5f23c92f9f1b
SHA1644f0296439c1c175d399a32bc8929cb692579a6
SHA256076b593a8d250953a255ef4cead2ee673b36e194ccf5e24152ce8b4c2359a925
SHA51244f179e904cfc5d1f8293ec5fe5768a438735850bb93e9da3eb3f956eb857dd86c05b15b1aa0c968a2bf4b3b473d71aa88c92c48a9db401e0d2cb7df6fc87c35
-
Filesize
35KB
MD531112dedf5f25bac5aef4c8e344b48f2
SHA1104551348e450ea824d9469afc0189a342140290
SHA256d346171cee29cb55204afeb44284480ebcbddee8000ec944a63f2655f0dcdb65
SHA5122ee76e84b70109906ff37cafe58c24ea0b88a2846a43290fa7ecd3abc3b754072dddea8af2b2375df10a7da4c97ceccc03d6f4fcd8243f94b7838072cf03262f
-
Filesize
93KB
MD5bb389d8f47db4a872087c37249b5347a
SHA18b6c0121e46b4af94c941d25fac2f2e7a3092b8d
SHA2567490c42628d70c748b16387e66c33b5989c24b6531a949d5fa10d3069d90adad
SHA5127b6c0ba266a9a611c2e713aeceb0b78a0400a405dbf48482fd0cbe00ea674591e324ffadb7900d4e9d444e81522c111e982410ebfe2f98e9eb2870df9a0f3950
-
Filesize
42KB
MD5875d7d741e71b84e8d620e96b442ffc8
SHA134b1d6223940df1e2c47e441a84451d11c24ed6a
SHA2569820f333dbe7cbd6ba2064999e7368efc3b4ce114925ede6d96d5fdfe3b1e909
SHA5127b0e3264197e52ebf6b701cb051f749008bf489ff02133b38e4a71111309d1eff3084b2428cc3ec0dce6472a2d0ac4ad3e6430daf701f2777f1852c69fd72180
-
Filesize
50KB
MD596536128805788b05b9335d674c19e1d
SHA1a44cde59321c0f9bb07ef975efc8370c8a51e23e
SHA25669693ac781a21bad65c7962e0afe1157c7cfcd088675a62a6afd92347178f2be
SHA512537e856222506c1200796ce750bfd12bb9933558f1e484c1cc4f1dfc2610385cfb4d2d0f72a9f4d125d97b47060289ff480fedfe64fb6e96c9c302cdd9ab6e1f