Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06/07/2024, 10:05
Static task
static1
Behavioral task
behavioral1
Sample
282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe
-
Size
471KB
-
MD5
282807be952aca9e2a10d4b998dea99d
-
SHA1
deaa64423864b09383f24dd58fc24d694aa9cb92
-
SHA256
4c6d0b9e1fc3066b7421978fba95f7e6ce0463887ed953365b5cab4f4e16a9b0
-
SHA512
be53040a2a879bff60d64d947a987548df38873c062bbb2cff2d821460c7116817a75fce9f8488434f1a5c0c9035735ee756393443e217ade93fec1f4c6a53bc
-
SSDEEP
12288:+e6fM21Az3KwyGLHAzNQ3YL//LJNNDTPzNH7JV3Fcfk8rTvrLadrax8D+5axnfDF:+e6fNALKwf8zNQ3YL//LJNNDTPzNH7JB
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\system32\\svchost\\svchost.exe" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\system32\\svchost\\svchost.exe" iexplore.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{L116JG07-148E-1TU2-60X2-0Y0NBU803HLL} iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{L116JG07-148E-1TU2-60X2-0Y0NBU803HLL}\StubPath = "C:\\Windows\\system32\\svchost\\svchost.exe Restart" iexplore.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\system32\\svchost\\svchost.exe" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\system32\\svchost\\svchost.exe" iexplore.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\svchost\svchost.exe iexplore.exe File opened for modification C:\Windows\SysWOW64\svchost\svchost.exe iexplore.exe File opened for modification C:\Windows\SysWOW64\svchost\plugin.dat iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 560 set thread context of 2952 560 282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe 29 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2952 vbc.exe 2952 vbc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2952 vbc.exe Token: SeDebugPrivilege 2952 vbc.exe Token: SeDebugPrivilege 2952 vbc.exe Token: SeDebugPrivilege 2952 vbc.exe Token: SeDebugPrivilege 2784 iexplore.exe Token: SeDebugPrivilege 2784 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 560 wrote to memory of 2952 560 282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe 29 PID 560 wrote to memory of 2952 560 282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe 29 PID 560 wrote to memory of 2952 560 282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe 29 PID 560 wrote to memory of 2952 560 282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe 29 PID 560 wrote to memory of 2952 560 282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe 29 PID 560 wrote to memory of 2952 560 282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe 29 PID 560 wrote to memory of 2952 560 282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe 29 PID 560 wrote to memory of 2952 560 282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe 29 PID 560 wrote to memory of 2952 560 282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe 29 PID 560 wrote to memory of 2952 560 282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe 29 PID 560 wrote to memory of 2952 560 282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe 29 PID 560 wrote to memory of 2952 560 282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe 29 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30 PID 2952 wrote to memory of 2784 2952 vbc.exe 30
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:368
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:584
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1240
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:864
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:660
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:720
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:788
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1328
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:816
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:980
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:272
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1008
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:324
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1232
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1620
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:1912
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:1888
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:476
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:484
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:380
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\282807be952aca9e2a10d4b998dea99d_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
-