Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 08:56
Static task
static1
Behavioral task
behavioral1
Sample
15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe
-
Size
85KB
-
MD5
15664ff00b7a6496d48d633b7812ab94
-
SHA1
cb3ebedbe023ca5884d552f67d9a3f409b0fdc50
-
SHA256
4f7bab60cdd8b4623e470eaa8bfebfd840e069c834a953025b49289d7277a071
-
SHA512
680771d2017e8f7118c46d679bf8ea65241855d2e8c7e40dce3c2740d90d03704b0e937ee05e51819788d5662eb26c7830fc490f65bac6c51fc7a8a1afa3e7a3
-
SSDEEP
1536:CAi7V6+EZFCttj4E56r+Ov4DVwMXZ7sRIMrHWTaWr7UlTn5YjYpeeO6T:CAi7U1kuE5yXEDPa27UnYspFv
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Parameters\ServiceDll = "C:\\Progra~1\\%Program Files%\\uninstall.lnk" laass.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Parameters\ServiceDll = "C:\\Progra~1\\%Program Files%\\uninstall.lnk" rundll32.exe -
Deletes itself 1 IoCs
pid Process 2832 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2700 laass.exe -
Loads dropped DLL 4 IoCs
pid Process 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 2720 rundll32.exe 2700 laass.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "file:c:\\windows\\362.VBS" laass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "file:c:\\windows\\362.VBS" rundll32.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification \??\c:\Program Files\%Program Files% 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe File created C:\Progra~1\%Program Files%\laass.exe 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe File created C:\Progra~1\%Program Files%\363.VBS 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe File created C:\Progra~1\%Program Files%\Cest.bat 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe File created C:\Progra~1\%Program Files%\~ 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe File created C:\Progra~1\%Program Files%\uninstall.lnk 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe File opened for modification C:\Progra~1\%Program Files%\uninstall.lnk 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\windows\best.bat 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe File created C:\windows\362.vbs 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 2700 laass.exe 2700 laass.exe 2700 laass.exe 2700 laass.exe 2700 laass.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe 2700 laass.exe 2720 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2720 rundll32.exe 2700 laass.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2700 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 28 PID 2164 wrote to memory of 2700 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 28 PID 2164 wrote to memory of 2700 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 28 PID 2164 wrote to memory of 2700 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 28 PID 2164 wrote to memory of 2720 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 29 PID 2164 wrote to memory of 2720 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 29 PID 2164 wrote to memory of 2720 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 29 PID 2164 wrote to memory of 2720 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 29 PID 2164 wrote to memory of 2720 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 29 PID 2164 wrote to memory of 2720 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 29 PID 2164 wrote to memory of 2720 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 29 PID 2164 wrote to memory of 2832 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 30 PID 2164 wrote to memory of 2832 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 30 PID 2164 wrote to memory of 2832 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 30 PID 2164 wrote to memory of 2832 2164 15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\15664ff00b7a6496d48d633b7812ab94_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Program Files\%Program Files%\laass.exe"C:\Program Files\%Program Files%\laass.exe" uninstall.lnk main2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2700
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" uninstall.lnk main2⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2720
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\15664F~1.EXE > nul & rd c:\%Progr~1 > nul2⤵
- Deletes itself
PID:2832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5359c541c07a39ab11bb45aad29b2d2ce
SHA13c4f277f184ae306a4d0efe1bcb9e03ecabbb9b7
SHA2566e2378348ebebf5b301744fedb0be396ef4e7e92ad94877da79eed9eb46850d5
SHA512768050272dd4875a4c2a6a96f6337334c05d1512dfc0cc9ceee883a7c701de5e2e90872a6f9029de5b528b74c07cb8aa61c10f9f9e834f8021e9759136fcfbff
-
Filesize
88B
MD5a78667573d9a9ceb25a0d4e1a7a2db8b
SHA19a4a9cf44d39df2a24f86fc332cb3782eef8876d
SHA25649a93525279882890cb85cb794dfebd8fdc1f10fe0127d016ff1fc864a65167a
SHA51267276d58e5e98e5cfc1853a4b405390f8d9cad8171dc75b99878a8d5e7ddfbef7694fa5be5e50b733b0986301fef6a73171fef2c7b63d2473ba4a2dc105a5d18