Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26/06/2024, 22:47
Static task
static1
Behavioral task
behavioral1
Sample
13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe
-
Size
46KB
-
MD5
13c199c208b022940e06b654f968c5d1
-
SHA1
a9decf492b68a1a64d14bbbfbdfdcd105809b257
-
SHA256
9a78b873c2aa291b1834b8ddb741b78ac2f564174dd58d223f9fb748f6d10532
-
SHA512
aaabf509e94289bfb5143c9272b934a8a089a004d87dfe7b9372b007c333812340ef862d5e6fe2cc8f5aed92879d4dfd85783905a7a85570c96f6e95ee457b9b
-
SSDEEP
768:dbI0l3A7f5HbZ+r9kotEv8cXXsiTbpqvytL/UPRx5OH0bu8RaATXxBO+S5iBayZI:Rg57poteMi52KLSRxA6u8Ram9S5ivI
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000b000000014ef8-10.dat acprotect -
Impair Defenses: Safe Mode Boot 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\emul65.sys 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\emul65.sys\ = "Driver" 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\emul37.sys 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\emul37.sys\ = "Driver" 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 1660 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe -
Modifies WinLogon 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\emul65\Impersonate = "1" 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\emul65\Asynchronous = "1" 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\emul65\MaxWait = "1" 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\emul65 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\emul65\secureUID = "[36547148743947036012]" 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\emul65\DllName = "emul65.dll" 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\emul65\Startup = "MezZZccbbB" 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe -
Drops file in System32 directory 11 IoCs
description ioc Process File created C:\Windows\SysWOW64\emul65.dll 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe File created C:\Windows\SysWOW64\qz.dll 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\emul37.sys 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe File created C:\Windows\SysWOW64\qy.sys 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zxcsedr.dll 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe File created C:\Windows\SysWOW64\emul37.sys 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe File created C:\Windows\SysWOW64\qz.sys 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe File created C:\Windows\SysWOW64\emul65.sys 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\emul65.sys 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe File created C:\Windows\SysWOW64\x8.xxd 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\x8.xxd 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1660 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe 1660 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe 1660 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe 1660 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe 1660 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe 1660 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe 1660 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 480 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1660 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe Token: SeShutdownPrivilege 1660 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1660 wrote to memory of 1260 1660 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe 21 PID 1660 wrote to memory of 1260 1660 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe 21 PID 1660 wrote to memory of 1260 1660 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe 21 PID 1660 wrote to memory of 1260 1660 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe 21 PID 1660 wrote to memory of 1260 1660 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe 21 PID 1660 wrote to memory of 1260 1660 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe 21 PID 1660 wrote to memory of 1260 1660 13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\13c199c208b022940e06b654f968c5d1_JaffaCakes118.exe"2⤵
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5ab8730f9baeb55d4e12abd5275106270
SHA12a796b58a0e4001c4c958e6d5a38273877102422
SHA256d3a4ba8d0837e6bf6a1ba4648e1f9e2f4980ac763e6a2537514e55de906e1b41
SHA512592f89c0153a1e00027772d373c835acc7d3490b180a9a2025618635bfef6041c088780e0e11d567856868944157b095e142aab1968062ae65a6dc09c4b649cc