Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 16:52
Static task
static1
Behavioral task
behavioral1
Sample
16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe
-
Size
13KB
-
MD5
16c1f3a171bca17a2afb429a451afb1d
-
SHA1
b93d6bd21483baba6ba0f121bb31f3c1a460f24a
-
SHA256
3258001bd74ab68825ac5c7d6ceeadb6fc4a1737704fa28227a0b0a250270d93
-
SHA512
f487ea923f195ecfb06b60f0e000f1f7dab5c4db9c47cd9a6cf833814695a1fbaffb3cabb7798e52413be9366e384579e3934e47ad353a3490e8512c42037a77
-
SSDEEP
192:nmOr1W7LByeduaOkAG6+mkAuLe/LJwlfeTSBaXZQmV/le8ZSwMFd3oCd7a7vtyB8:nma1F4t6Vpu+yMpV/lLSwsGg7EqXX4CG
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dispexcb.dll = "{76D44356-B494-443a-BEDC-AA68DE4255E6}" 16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2716 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 1696 16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\dispexcb.tmp 16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dispexcb.tmp 16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dispexcb.nls 16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32 16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32\ = "C:\\Windows\\SysWow64\\dispexcb.dll" 16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32\ThreadingModel = "Apartment" 16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6} 16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1696 16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1696 16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe 1696 16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe 1696 16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1696 wrote to memory of 2716 1696 16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe 28 PID 1696 wrote to memory of 2716 1696 16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe 28 PID 1696 wrote to memory of 2716 1696 16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe 28 PID 1696 wrote to memory of 2716 1696 16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\16c1f3a171bca17a2afb429a451afb1d_JaffaCakes118.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\D652.tmp.bat2⤵
- Deletes itself
PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD5c89ba20bdc8ee59ba9ab41c16b9ca773
SHA17982179d2e58acffc4f1fe4dc2b42b32db68dc23
SHA2560cabb62f4855fb969f9afc4fa24dff045fa2311ffa516a76042f19b7811faab5
SHA512aa645188d92026c4deb086651177dfde2f7e5ec9ebeff838cd313a700242a49f7615356d048f37c65eb84ebbb4322ff71138204151b1a10d348b19b197a49d27
-
Filesize
428B
MD5258053b380bc93b614c32a18b8b726ea
SHA10f04967ba3a6226368623155838d51711e3e0a8c
SHA2562ab1145482d8d09e90d8d0e2b5f4ff2532eb89ba7f71587ee15a9dd7138e18ef
SHA51271146acb2f4ad59df738d49749908af7f87a28c3aa970f61f48786bbabafae4b9f3c8e85ec9d51e517aa2dca1bc276db66d49b90823690f67a19164b23f8f2eb
-
Filesize
1.0MB
MD5c0383b7ef55b3a074ecadd1abb5807e1
SHA1aeb7ff60e4115e69ee52e600cf323232faeeb569
SHA2564fd2eb7b2dcdc16a19dfab4c50fcb4fe91f6f3b9f074d4e7d70545248a8aa259
SHA512a6b640195931dcfb7864f45876343fbdc1567a9b8ab84f69ed584a7e74b5cf7ebc010e9c4ae641e73f32e787bde4c11574504a1718678b7b7cee439aeaf69fbd