Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01/07/2024, 10:15
Static task
static1
Behavioral task
behavioral1
Sample
1ae7e832043c3b019e0a352a251a67e8_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1ae7e832043c3b019e0a352a251a67e8_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1ae7e832043c3b019e0a352a251a67e8_JaffaCakes118.exe
-
Size
68KB
-
MD5
1ae7e832043c3b019e0a352a251a67e8
-
SHA1
0952e14a154bd096a3db5dc79f8149ca6701ea78
-
SHA256
609205762b968c2674355dee4d0c2af4031bd40e020578554989aa1f4ac15a7b
-
SHA512
594220c046ed0ed570a7e0dddd5e44da4dbe8ebee7b582508ee5fe70df16889e0febb4ec0761ce4a5cb0f6b821910a29fb9aac72dcdd3a0381d20104c6e5f343
-
SSDEEP
768:p5hsGkirNo8m4U1VIw98f1+LjohCYKqv+LnLB03AWW26W7PHDfURD:fki28xsV90j2qv+LnLBKLW26+AN
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\WINDOWS\\smrs.exe" 1ae7e832043c3b019e0a352a251a67e8_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 1ae7e832043c3b019e0a352a251a67e8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\smrs.exe = "C:\\WINDOWS\\smrs.exe" 1ae7e832043c3b019e0a352a251a67e8_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\MSWINSCK.OCX 1ae7e832043c3b019e0a352a251a67e8_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\WINDOWS\smrs.exe 1ae7e832043c3b019e0a352a251a67e8_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 1704 1ae7e832043c3b019e0a352a251a67e8_JaffaCakes118.exe Token: SeBackupPrivilege 1704 1ae7e832043c3b019e0a352a251a67e8_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1704 1ae7e832043c3b019e0a352a251a67e8_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ae7e832043c3b019e0a352a251a67e8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1ae7e832043c3b019e0a352a251a67e8_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1704
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1