Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
26/06/2024, 23:12
Static task
static1
Behavioral task
behavioral1
Sample
13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe
-
Size
24KB
-
MD5
13d63bb9e821f16c95202cd163df8765
-
SHA1
26138ce2c9b51abb55cd0065ae22a249efed2174
-
SHA256
222f99403e5829527d4a8becbed06d7f746ecd0bf5f247132b4f9ffcdaecc98a
-
SHA512
bc83daa54c10eff6b90723c744e7d42732d000128c17112d5262f6a1653f4ceb8f10acf883e2fc93b0c6d9f592d7d73874be0860037c54e6af263c0ec34db911
-
SSDEEP
384:s/4e8zdTyBsyqAIZhgdwbkzZtEng/E5HdRtw7UionvbPrammRKapF+YXg1wmvvvJ:bWsyqAgge0ZKng/iR9d7raHUaxswoR
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8I22RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK} ini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8I22RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\ = "windir" ini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8I22RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath = "%windir%\\ini\\shit.vbs" ini.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts ini.exe -
Deletes itself 1 IoCs
pid Process 2520 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1888 ini.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\POWER ini.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PROFSVC ini.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WINDEFEND ini.exe -
Loads dropped DLL 2 IoCs
pid Process 840 13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe 840 13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run ini.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\ini\desktop.ini 13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe File opened for modification C:\Windows\ini\desktop.ini 13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: ini.exe File opened (read-only) \??\H: ini.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\wsock32.dll ini.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\wsock32.dll ini.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\wsock32.dll ini.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\wsock32.dll ini.exe File created C:\Program Files\Java\jre7\lib\zi\Etc\wsock32.dll ini.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\wsock32.dll ini.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\wsock32.dll ini.exe File opened for modification C:\Program Files\Windows Defender\de-DE\wsock32.dll ini.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\wsock32.dll ini.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\wsock32.dll ini.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\wsock32.dll ini.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\wsock32.dll ini.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\wsock32.dll ini.exe File created C:\Program Files\VideoLAN\VLC\locale\nn\wsock32.dll ini.exe File created C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\wsock32.dll ini.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_CN\wsock32.dll ini.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\wsock32.dll ini.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\wsock32.dll ini.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\wsock32.dll ini.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\wsock32.dll ini.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\wsock32.dll ini.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\wsock32.dll ini.exe File opened for modification C:\Program Files\Java\jre7\lib\applet\wsock32.dll ini.exe File created C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\wsock32.dll ini.exe File created C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\wsock32.dll ini.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\wsock32.dll ini.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\wsock32.dll ini.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\wsock32.dll ini.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\wsock32.dll ini.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\wsock32.dll ini.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\wsock32.dll ini.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\wsock32.dll ini.exe File created C:\Program Files\Java\jre7\lib\zi\Europe\wsock32.dll ini.exe File opened for modification C:\Program Files\Java\jre7\lib\wsock32.dll ini.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\wsock32.dll ini.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\wsock32.dll ini.exe File created C:\Program Files\Windows Media Player\es-ES\wsock32.dll ini.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\wsock32.dll ini.exe File opened for modification C:\Program Files\Microsoft Games\Chess\ja-JP\wsock32.dll ini.exe File opened for modification C:\Program Files\Microsoft Office\Office14\wsock32.dll ini.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\wsock32.dll ini.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\wsock32.dll ini.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\wsock32.dll ini.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\wsock32.dll ini.exe File created C:\Program Files\Windows Defender\it-IT\wsock32.dll ini.exe File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\wsock32.dll ini.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\wsock32.dll ini.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsock32.dll ini.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\wsock32.dll ini.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\wsock32.dll ini.exe File opened for modification C:\Program Files\Microsoft Games\More Games\de-DE\wsock32.dll ini.exe File created C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\wsock32.dll ini.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\wsock32.dll ini.exe File created C:\Program Files\VideoLAN\VLC\lua\http\js\wsock32.dll ini.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\wsock32.dll ini.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\wsock32.dll ini.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\wsock32.dll ini.exe File created C:\Program Files\VideoLAN\VLC\locale\th\wsock32.dll ini.exe File created C:\Program Files\Windows Journal\es-ES\wsock32.dll ini.exe File created C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\wsock32.dll ini.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\wsock32.dll ini.exe File created C:\Program Files\Microsoft Games\Chess\fr-FR\wsock32.dll ini.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\wsock32.dll ini.exe File created C:\Program Files\VideoLAN\VLC\locale\am\wsock32.dll ini.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\ini\desktop.ini 13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe File created C:\Windows\ini\wsock32.dll ini.exe File created C:\Windows\ini\ini.exe 13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe File created C:\Windows\ini\shit.vbs ini.exe File created C:\Windows\Tasks\°²×°.bat ini.exe File opened for modification C:\Windows\Tasks\°²×°.bat ini.exe File created C:\Windows\ini\desktop.ini 13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe File opened for modification C:\Windows\ini 13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe File opened for modification C:\Windows\ini ini.exe File opened for modification C:\Windows\ini\shit.vbs ini.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe 1888 ini.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1888 ini.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 840 13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 840 wrote to memory of 1888 840 13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe 28 PID 840 wrote to memory of 1888 840 13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe 28 PID 840 wrote to memory of 1888 840 13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe 28 PID 840 wrote to memory of 1888 840 13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe 28 PID 840 wrote to memory of 2520 840 13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe 29 PID 840 wrote to memory of 2520 840 13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe 29 PID 840 wrote to memory of 2520 840 13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe 29 PID 840 wrote to memory of 2520 840 13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\ini\ini.exeC:\Windows\ini\ini.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Drivers directory
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\13D63B~1.EXE > nul2⤵
- Deletes itself
PID:2520
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
904B
MD5fddf3a7b7372d7b7c0aa2eae2cb582a6
SHA1492f336df8c1a3467b38978955f1ad5ae03a65fd
SHA2565de04384652accddd8e528fbf05453443031b47e23e12a5e219893497cb7a61a
SHA51220ec9393053a3ab47a11ee0c3dcea771fdf7544525f6e89c08bc7b2ac744d8a10265512001377e6520e656f5afa4582fbb9f6616d2e32efdb7173fc255e02c0f
-
Filesize
93B
MD5029cb6e8dd46b0bac89f075426176148
SHA1ac38c1a3e3db05376f191d161500d74251c9e493
SHA256638734859db449bb4597a1f3fff81fbf9c9ba9158fc232bfd0ba5f69eab67ef0
SHA512f74516b98862b508d1714f9757ed22bd76248626ea1eb665f8a3141438c156bb218598adbd089f63c3cf80336e986a5afc2234f18839a8e807ca5c616af29d2b
-
Filesize
17KB
MD562d674465aeb6cb32700fba27c5745d5
SHA1ccecf6d66b50643ef70d5c25e0c6814fc55df425
SHA256eea1e1b309f1f7beaf829fa636e2ca15bb9b02c3764c3432721cefbdde3741e5
SHA5125e4e14c85f5f5933e924b0f8186af09356b387d835a04c31cabed881ddaa28d4607937f7474956bd16d5659565f2b00caa1e2d23524e771a48360046e2517a40
-
Filesize
24KB
MD50207a4d69009e38edc0cbeb1e794034d
SHA1c233336c76ff7a561534dd2f593fb360e860c554
SHA256ad33c9ead99c1ac700060d403f2a9a2435837ec54d087d8b9a837144759e842c
SHA5125228b7d501e21cf301922fc4aa579b259d29945db1e1a52b632ed1a10288da39e582cb256d6df287573b1cc70f3d6b9b02bef41dce09c52cdc06594b4458e17e