Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26/06/2024, 01:17
Static task
static1
Behavioral task
behavioral1
Sample
103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe
-
Size
273KB
-
MD5
103969adfdbd2eab47535981cec6636f
-
SHA1
35236c66149a580a64c051fdb37626f891f72e7b
-
SHA256
4a31901feb4828ab1d5e99b5c6dccf9a547abc75ed244c4e1de4d42bef00dfbb
-
SHA512
7d1d4e03f29ad494fde1f6eb3817e0ca6fb8429d4daf8839de8897b557951c4fe027e9bc23a3a32e87bff90280c1015e910db9d73aaf190d62c48763a50556ab
-
SSDEEP
6144:GW8RGXHdb5K+QhEd3+NLmximO92D93aqnKpQ1i5cg1:GxRkdb5K+mEBAQ1iT
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1456 B1C2.tmp -
Loads dropped DLL 2 IoCs
pid Process 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1964-1-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/1964-2-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1964-14-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/1964-15-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1656-67-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1964-191-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1964-197-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1604-199-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1964-309-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1964-318-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\F0A.exe = "C:\\Program Files (x86)\\LP\\D51B\\F0A.exe" 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\D51B\F0A.exe 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\D51B\F0A.exe 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\D51B\B1C2.tmp 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1588 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2672 msiexec.exe Token: SeTakeOwnershipPrivilege 2672 msiexec.exe Token: SeSecurityPrivilege 2672 msiexec.exe Token: SeShutdownPrivilege 1588 explorer.exe Token: SeShutdownPrivilege 1588 explorer.exe Token: SeShutdownPrivilege 1588 explorer.exe Token: SeShutdownPrivilege 1588 explorer.exe Token: SeShutdownPrivilege 1588 explorer.exe Token: SeShutdownPrivilege 1588 explorer.exe Token: SeShutdownPrivilege 1588 explorer.exe Token: SeShutdownPrivilege 1588 explorer.exe Token: SeShutdownPrivilege 1588 explorer.exe Token: SeShutdownPrivilege 1588 explorer.exe Token: SeShutdownPrivilege 1588 explorer.exe Token: SeShutdownPrivilege 1588 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1964 wrote to memory of 1656 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 31 PID 1964 wrote to memory of 1656 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 31 PID 1964 wrote to memory of 1656 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 31 PID 1964 wrote to memory of 1656 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 31 PID 1964 wrote to memory of 1456 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 34 PID 1964 wrote to memory of 1456 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 34 PID 1964 wrote to memory of 1456 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 34 PID 1964 wrote to memory of 1456 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 34 PID 1964 wrote to memory of 1604 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 37 PID 1964 wrote to memory of 1604 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 37 PID 1964 wrote to memory of 1604 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 37 PID 1964 wrote to memory of 1604 1964 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe 37 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\103969adfdbd2eab47535981cec6636f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\B0741\AB4D5.exe%C:\Users\Admin\AppData\Roaming\B07412⤵PID:1656
-
-
C:\Program Files (x86)\LP\D51B\B1C2.tmp"C:\Program Files (x86)\LP\D51B\B1C2.tmp"2⤵
- Executes dropped EXE
PID:1456
-
-
C:\Users\Admin\AppData\Local\Temp\103969adfdbd2eab47535981cec6636f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\103969adfdbd2eab47535981cec6636f_JaffaCakes118.exe startC:\Program Files (x86)\41D1B\lvvm.exe%C:\Program Files (x86)\41D1B2⤵PID:1604
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1588
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD54b8d616d7aaf4897d63d76d8a42b92df
SHA16d869ac49e7eb7d150f0b42a0c1149c623e60cbc
SHA256423644ac7e5b75c5f526ac4bde9df81e73041309d0d23e2e8c2a103b9206a184
SHA512308e25a144e4fd148f4c2567259f7cb4542f02b16a321271baea65039f715c11175c6aefe6d85a56615454ca4d420bd8db3a74630931e66321159217abc4ca50
-
Filesize
1KB
MD5600d0b15e9fcdec130c3ddaeae5342b6
SHA1fe37a32b514a229d71a16d3674e0d936109ffa53
SHA25658a7732ad6767cf4d7485d391f139308243d637620929f5e530ac6bdd02eb9df
SHA512087a609eda0ad970a1988c7c1858531f9a0c432d325d56d057bc3d1a6ab05ddfc9ce4903a8bd070b0b7d6495cb548018845b2498fb45149bff454a41aa66f189
-
Filesize
1KB
MD5e47f904f223498cb26507d1e475f8152
SHA198b01d1d52f686409ecaf261327ade1229a05062
SHA256b130c4d14541da437753d0bfc0d3fc869b96abec343e6cf15a8beb4f7248d075
SHA5125b236d688524dedb5296b2def05830276966ff26c95b27054207cd38abf04655a060f68e96b620e110430a7def3518619367ecc994fe26c4a1ab1ca2e19dc1bf
-
Filesize
897B
MD573dd5a34416a5bb3efce88e4075f155b
SHA1a87d97f65ab6704b37d6bc5b4ca0b4c9738b97b3
SHA256ba8c990d1bacfc3d31cfa03828a2279dadba93051c910f1cbf63cd667c3d93aa
SHA51246fdbbf1aacfbc835b794dc2f7517db2f3e4632f90ad549a7de8727f473b7843ad5bcda540cd0e3dc65c3288e9169e6b199b39200785e1e9d2b8b1a455f15a90
-
Filesize
96KB
MD574a1e9547eb8c42e9ca482c5c8bdd261
SHA1c56c60e84b4ef45065289636cfdfab21654acdb3
SHA256f4ac8ead1ff2f95c2b50405531d433d7af912b8f848095d3cb00401576ee90fb
SHA512ae90627a5f1485383b6de178aea4b36f9e44891d78fe5a274d1632727dd71906061323725a7c3c106b039cb65e10ea7e9c7d277ce35fb0ac6458fdc3e346ecb9