Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01/07/2024, 10:23
Static task
static1
Behavioral task
behavioral1
Sample
1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe
-
Size
10KB
-
MD5
1aeea49d25b4dc6e42724c9c0d2e9296
-
SHA1
2d5e850c7f8872a994ac3eee8fd14f082e46ce05
-
SHA256
8b2bfe0e55b5ac5bdc545a14b1564d07da18adf59670184f05f6c9f2549ed5d6
-
SHA512
bf3146ed58df01d93d2a5c185c034e2a86ecc95beab81e3501736e0f9e38a7068bcc941df12c10681284f7a76b84939311726eb1ead2e96ded185810991bfd96
-
SSDEEP
192:/TojHDbwLgReF4UjMN2z+Ko4SSFaNJhLkwcud2DH9VwGfctexPe85/OS/oJKWQW8:/TojHDbwIeF4ISRJWaNJawcudoD7Unlo
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\nppagent.exe" 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE\Debugger = "C:\\WINDOWS\\system32\\Microsoft\\ctfmon.exe" 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe -
Sets file to hidden 1 TTPs 6 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2356 attrib.exe 2620 attrib.exe 2700 attrib.exe 2336 attrib.exe 2604 attrib.exe 2964 attrib.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1152 wrote to memory of 2000 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 28 PID 1152 wrote to memory of 2000 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 28 PID 1152 wrote to memory of 2000 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 28 PID 1152 wrote to memory of 2000 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 28 PID 1152 wrote to memory of 1228 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 29 PID 1152 wrote to memory of 1228 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 29 PID 1152 wrote to memory of 1228 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 29 PID 1152 wrote to memory of 1228 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 29 PID 1152 wrote to memory of 2892 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 31 PID 1152 wrote to memory of 2892 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 31 PID 1152 wrote to memory of 2892 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 31 PID 1152 wrote to memory of 2892 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 31 PID 1152 wrote to memory of 2580 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 33 PID 1152 wrote to memory of 2580 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 33 PID 1152 wrote to memory of 2580 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 33 PID 1152 wrote to memory of 2580 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 33 PID 1152 wrote to memory of 2020 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 34 PID 1152 wrote to memory of 2020 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 34 PID 1152 wrote to memory of 2020 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 34 PID 1152 wrote to memory of 2020 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 34 PID 1152 wrote to memory of 2616 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 37 PID 1152 wrote to memory of 2616 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 37 PID 1152 wrote to memory of 2616 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 37 PID 1152 wrote to memory of 2616 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 37 PID 1152 wrote to memory of 2728 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 39 PID 1152 wrote to memory of 2728 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 39 PID 1152 wrote to memory of 2728 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 39 PID 1152 wrote to memory of 2728 1152 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 39 PID 1228 wrote to memory of 2356 1228 cmd.exe 43 PID 1228 wrote to memory of 2356 1228 cmd.exe 43 PID 1228 wrote to memory of 2356 1228 cmd.exe 43 PID 1228 wrote to memory of 2356 1228 cmd.exe 43 PID 2020 wrote to memory of 2620 2020 cmd.exe 42 PID 2020 wrote to memory of 2620 2020 cmd.exe 42 PID 2020 wrote to memory of 2620 2020 cmd.exe 42 PID 2020 wrote to memory of 2620 2020 cmd.exe 42 PID 2580 wrote to memory of 2964 2580 cmd.exe 44 PID 2580 wrote to memory of 2964 2580 cmd.exe 44 PID 2580 wrote to memory of 2964 2580 cmd.exe 44 PID 2580 wrote to memory of 2964 2580 cmd.exe 44 PID 2892 wrote to memory of 2604 2892 cmd.exe 45 PID 2892 wrote to memory of 2604 2892 cmd.exe 45 PID 2892 wrote to memory of 2604 2892 cmd.exe 45 PID 2892 wrote to memory of 2604 2892 cmd.exe 45 PID 2616 wrote to memory of 2700 2616 cmd.exe 46 PID 2616 wrote to memory of 2700 2616 cmd.exe 46 PID 2616 wrote to memory of 2700 2616 cmd.exe 46 PID 2616 wrote to memory of 2700 2616 cmd.exe 46 PID 2728 wrote to memory of 2336 2728 cmd.exe 47 PID 2728 wrote to memory of 2336 2728 cmd.exe 47 PID 2728 wrote to memory of 2336 2728 cmd.exe 47 PID 2728 wrote to memory of 2336 2728 cmd.exe 47 -
Views/modifies file attributes 1 TTPs 6 IoCs
pid Process 2356 attrib.exe 2620 attrib.exe 2700 attrib.exe 2336 attrib.exe 2604 attrib.exe 2964 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\WINDOWS\system32\IME\comrereg.exe"2⤵PID:2000
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +h "C:\WINDOWS\system32\IME\comrereg.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\WINDOWS\system32\IME\comrereg.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2356
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +h "C:\Program Files\Windows Media Player\wmpband.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\Windows Media Player\wmpband.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2604
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +h "C:\WINDOWS\system32\DirectX\Setup.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\WINDOWS\system32\DirectX\Setup.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2964
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +h "C:\WINDOWS\system32\nppagent.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\WINDOWS\system32\nppagent.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2620
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +h "C:\WINDOWS\system32\Microsoft\ctfmon.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\WINDOWS\system32\Microsoft\ctfmon.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2700
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +h "C:\Program Files\Internet Explorer\EXPLORE.EXE"2⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\Internet Explorer\EXPLORE.EXE"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2336
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1