Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 05:23
Static task
static1
Behavioral task
behavioral1
Sample
24c639a18297db41949983f59e4054fa_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
24c639a18297db41949983f59e4054fa_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
24c639a18297db41949983f59e4054fa_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
24c639a18297db41949983f59e4054fa
-
SHA1
999b084361f15698429f7d3c76462e2f45215161
-
SHA256
b90c45b593caa67d5c686b4c0ae43364be4fedcaf801c57cd08b39c8f66bc1ab
-
SHA512
4673629b812587745fb62d9a261b6487d7e5322dd57f109a70fc17d12621a8f6fb5c509f1f64b7253259cd9a801c34f5a207f043657f0641b23a76098e3bcc1a
-
SSDEEP
12288:eg8GBI8sEyF6O5O2xDTMuQQpRhO54snV80LLbmVSpcStKpq9gJvvUotI45Ce7rQo:e4BQEwlFTjgN/bm0Lf9EvUo75CePpTk
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Event Triggered Execution: AppCert DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.
-
Executes dropped EXE 2 IoCs
pid Process 1344 Explorer.EXE 844 Process not Found -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2176 24c639a18297db41949983f59e4054fa_JaffaCakes118.exe 2176 24c639a18297db41949983f59e4054fa_JaffaCakes118.exe 1344 Explorer.EXE 1344 Explorer.EXE 1344 Explorer.EXE 1344 Explorer.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2176 24c639a18297db41949983f59e4054fa_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 1 IoCs
description pid Process procid_target PID 2176 wrote to memory of 1344 2176 24c639a18297db41949983f59e4054fa_JaffaCakes118.exe 21 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System 24c639a18297db41949983f59e4054fa_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 24c639a18297db41949983f59e4054fa_JaffaCakes118.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\24c639a18297db41949983f59e4054fa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\24c639a18297db41949983f59e4054fa_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2176
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD56ee34bf22dd9df03e960ed8d13872065
SHA1718f9503ff6da32ce964cdf92024100b709dcb92
SHA256b93b463b7b358d760e815bf666017a65b22eecac29b563e298fa2dd7a181f8a8
SHA512ae2df6789c606f4148c541b8688277eb335c5826519379c6383d8b60b2bfd0f558198d9476ab282c68c4fac4196c71ba0cc069d000bd7221c12d0a6769bf85fc