Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2024, 00:42
Static task
static1
Behavioral task
behavioral1
Sample
182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe
-
Size
268KB
-
MD5
182860c0c418baa8f0d94b68459ae384
-
SHA1
ada260ac8ce34358527c05e91c1029b7f55aa737
-
SHA256
651dbcca5436b159a5fb1fcff4f769a91280e194bd091b8bb6e284db94858814
-
SHA512
9c64290fd43c8ffc7a720b01b0715b23d924625171216b96855b3b5034b57ace8f9cadb037d2552128eccff1175f03c4d78384d72902ced26182e2f7a5388b84
-
SSDEEP
6144:amwd6zy40hYcUQ9gVLPxOzHu7HyZpmCFY3QFkp7Vxt:at6zoDqVLwbuzy3Y3fp7F
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe 182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe 182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1916 svchost.exe -
resource yara_rule behavioral2/memory/1916-20-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1916-26-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1916-25-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1916-33-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1916-32-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1916-35-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1916-36-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1916-41-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1916-45-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1916-48-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1916-51-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1916-54-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1916-57-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1916-60-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1916-63-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1916-66-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1916-69-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1916-72-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1916-75-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1916-78-0x0000000000400000-0x000000000045C000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2484 set thread context of 1916 2484 182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe 86 -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4764 reg.exe 3956 reg.exe 4868 reg.exe 1028 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 1916 svchost.exe Token: SeCreateTokenPrivilege 1916 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1916 svchost.exe Token: SeLockMemoryPrivilege 1916 svchost.exe Token: SeIncreaseQuotaPrivilege 1916 svchost.exe Token: SeMachineAccountPrivilege 1916 svchost.exe Token: SeTcbPrivilege 1916 svchost.exe Token: SeSecurityPrivilege 1916 svchost.exe Token: SeTakeOwnershipPrivilege 1916 svchost.exe Token: SeLoadDriverPrivilege 1916 svchost.exe Token: SeSystemProfilePrivilege 1916 svchost.exe Token: SeSystemtimePrivilege 1916 svchost.exe Token: SeProfSingleProcessPrivilege 1916 svchost.exe Token: SeIncBasePriorityPrivilege 1916 svchost.exe Token: SeCreatePagefilePrivilege 1916 svchost.exe Token: SeCreatePermanentPrivilege 1916 svchost.exe Token: SeBackupPrivilege 1916 svchost.exe Token: SeRestorePrivilege 1916 svchost.exe Token: SeShutdownPrivilege 1916 svchost.exe Token: SeDebugPrivilege 1916 svchost.exe Token: SeAuditPrivilege 1916 svchost.exe Token: SeSystemEnvironmentPrivilege 1916 svchost.exe Token: SeChangeNotifyPrivilege 1916 svchost.exe Token: SeRemoteShutdownPrivilege 1916 svchost.exe Token: SeUndockPrivilege 1916 svchost.exe Token: SeSyncAgentPrivilege 1916 svchost.exe Token: SeEnableDelegationPrivilege 1916 svchost.exe Token: SeManageVolumePrivilege 1916 svchost.exe Token: SeImpersonatePrivilege 1916 svchost.exe Token: SeCreateGlobalPrivilege 1916 svchost.exe Token: 31 1916 svchost.exe Token: 32 1916 svchost.exe Token: 33 1916 svchost.exe Token: 34 1916 svchost.exe Token: 35 1916 svchost.exe Token: SeDebugPrivilege 1916 svchost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1916 svchost.exe 1916 svchost.exe 1916 svchost.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2484 wrote to memory of 4184 2484 182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe 82 PID 2484 wrote to memory of 4184 2484 182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe 82 PID 2484 wrote to memory of 4184 2484 182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe 82 PID 4184 wrote to memory of 2384 4184 csc.exe 85 PID 4184 wrote to memory of 2384 4184 csc.exe 85 PID 4184 wrote to memory of 2384 4184 csc.exe 85 PID 2484 wrote to memory of 1916 2484 182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe 86 PID 2484 wrote to memory of 1916 2484 182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe 86 PID 2484 wrote to memory of 1916 2484 182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe 86 PID 2484 wrote to memory of 1916 2484 182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe 86 PID 2484 wrote to memory of 1916 2484 182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe 86 PID 2484 wrote to memory of 1916 2484 182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe 86 PID 2484 wrote to memory of 1916 2484 182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe 86 PID 2484 wrote to memory of 1916 2484 182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe 86 PID 1916 wrote to memory of 464 1916 svchost.exe 88 PID 1916 wrote to memory of 464 1916 svchost.exe 88 PID 1916 wrote to memory of 464 1916 svchost.exe 88 PID 1916 wrote to memory of 4828 1916 svchost.exe 89 PID 1916 wrote to memory of 4828 1916 svchost.exe 89 PID 1916 wrote to memory of 4828 1916 svchost.exe 89 PID 1916 wrote to memory of 2148 1916 svchost.exe 90 PID 1916 wrote to memory of 2148 1916 svchost.exe 90 PID 1916 wrote to memory of 2148 1916 svchost.exe 90 PID 1916 wrote to memory of 5000 1916 svchost.exe 91 PID 1916 wrote to memory of 5000 1916 svchost.exe 91 PID 1916 wrote to memory of 5000 1916 svchost.exe 91 PID 2148 wrote to memory of 1028 2148 cmd.exe 96 PID 2148 wrote to memory of 1028 2148 cmd.exe 96 PID 2148 wrote to memory of 1028 2148 cmd.exe 96 PID 4828 wrote to memory of 4764 4828 cmd.exe 97 PID 4828 wrote to memory of 4764 4828 cmd.exe 97 PID 4828 wrote to memory of 4764 4828 cmd.exe 97 PID 5000 wrote to memory of 3956 5000 cmd.exe 98 PID 5000 wrote to memory of 3956 5000 cmd.exe 98 PID 5000 wrote to memory of 3956 5000 cmd.exe 98 PID 464 wrote to memory of 4868 464 cmd.exe 99 PID 464 wrote to memory of 4868 464 cmd.exe 99 PID 464 wrote to memory of 4868 464 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\182860c0c418baa8f0d94b68459ae384_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ilapjfaq.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CAC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3CAB.tmp"3⤵PID:2384
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:4868
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:4764
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1028
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:3956
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD558302dcdbac2fd8cc35f02382c09afb8
SHA116cdf84e5dd26290a3b88a783613ddcd39a465c3
SHA256a5197172a03ef3f8e83c61048ff859373b6f11e4d92aefb9017d2bd2f9817246
SHA51200fd3419ec66868b131118069ac6a80c0e0ac2a2a151e5b822c2598113517d06907865061f99b5b9151f1f4fd59b19213e8c88aeef1425f508de4a0c9db2f097
-
Filesize
5KB
MD548c7153dd0d7d1149d5e70b2ac3f64b7
SHA1d1ca4af5b6a02bb4c38070c1c0303263aae2ce13
SHA2560f7ca58c34e05c699747f9f6ee0a37e429ff6af9cc3742c6395c18bd8550153f
SHA5129ed35adb575fb362e67f63ac3f3ca842a6af52095aad9af208182b96b7885b6045b745318ca0b1d06d4e2335e7a33da54926fde01fbd0335dc48e81557a12192
-
Filesize
12KB
MD5e2a4c443e3afda26f532f978f5b4d031
SHA159348c67332d1dd5a16a79f89151b42f94869928
SHA25615a36c3a7a2e53441919ed584719211df9fc3bb76725274ef1ea120b1564602a
SHA5120d0821e7b407aeaa0b2f2aff8df96756d3e279937d2d1cee8a64cc360dbbfa2f7e5add8477de58fe5bd4b8778492dbecd6d3bb68405b34c1596369c38ab663ab
-
Filesize
652B
MD57612360f817c80cc259e9430052091d5
SHA182c5139fad33e1c64cf4652f8c90316d00a38504
SHA25635049915e3c71de8eee67961948751f86ef489bf865eb120249069aaa1de44ff
SHA512938dd3c2a48ac02e664bdaae827ffe1b81cd9fb53d5f3ff9b7711759dee4b7feb9cea5c24ef6a42e7e0073add126dbe8954ac0e3aeb3d97b76658944e0b5a8e5
-
Filesize
4KB
MD52216d197bc442e875016eba15c07a937
SHA137528e21ea3271b85d276c6bd003e6c60c81545d
SHA2562e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af
SHA5127d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f
-
Filesize
206B
MD5caf7b9ca15e9ba4a5a8ea8cca843a5c6
SHA1813459187f34032ff18ea02ad0ee8b8733596509
SHA256cb354ecdd2d39e4fd01970587be7069a3713f7553f3476cd19fc1153f359dd84
SHA51252b873bfb6cf4bcf161b50a648e860d47aed7d78f5a0b65b216368aa86ce36c8764acd3b9a6c00dcf6ecb53d3dc2bc21f691b8ef5eab7e756fbc7b4f51b21bdf