Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
08/07/2024, 09:29
Behavioral task
behavioral1
Sample
2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe
-
Size
38KB
-
MD5
2bd1fb53eaa50768839e2f0af0f28776
-
SHA1
128ed940f232e13e96b03132365ef17c54c5ac2a
-
SHA256
90062e6119e33002894556095c0a649a4b2b3fffd4a06923d3d85f1009c35b37
-
SHA512
37e851d8a71cb2885476528c929422f7db73e48b70579eef85f7369e373a3e809a641a91810a524168358e90f9dd07588de287a612aa08447c35f2b2610fdc74
-
SSDEEP
768:BDRyti+nKpMbrOhvLXcgQqTO/yXeL9+K62aHAAxgjxPvlZ4:bl+nKpUChvLXcgQ4uL4rNHAOKlvlZ4
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2520 rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 2520 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2356-0-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral1/memory/2356-11-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral1/memory/2356-15-0x0000000000400000-0x0000000000418000-memory.dmp upx -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\yuksuser.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\ksuser.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\midimap.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\yumsimg32.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\msimg32.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\yuksuser.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\yumidimap.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\dllcache\midimap.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\dllcache\msimg32.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\sysapp10.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\dllcache\ksuser.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3020 sc.exe 3036 sc.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2964 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 30 PID 2356 wrote to memory of 2964 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 30 PID 2356 wrote to memory of 2964 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 30 PID 2356 wrote to memory of 2964 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 30 PID 2356 wrote to memory of 3020 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 31 PID 2356 wrote to memory of 3020 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 31 PID 2356 wrote to memory of 3020 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 31 PID 2356 wrote to memory of 3020 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 31 PID 2356 wrote to memory of 3036 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 32 PID 2356 wrote to memory of 3036 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 32 PID 2356 wrote to memory of 3036 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 32 PID 2356 wrote to memory of 3036 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 32 PID 2964 wrote to memory of 1644 2964 net.exe 36 PID 2964 wrote to memory of 1644 2964 net.exe 36 PID 2964 wrote to memory of 1644 2964 net.exe 36 PID 2964 wrote to memory of 1644 2964 net.exe 36 PID 2356 wrote to memory of 2520 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 37 PID 2356 wrote to memory of 2520 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 37 PID 2356 wrote to memory of 2520 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 37 PID 2356 wrote to memory of 2520 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 37 PID 2356 wrote to memory of 2520 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 37 PID 2356 wrote to memory of 2520 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 37 PID 2356 wrote to memory of 2520 2356 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\net.exenet stop cryptsvc2⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop cryptsvc3⤵PID:1644
-
-
-
C:\Windows\SysWOW64\sc.exesc config cryptsvc start= disabled2⤵
- Launches sc.exe
PID:3020
-
-
C:\Windows\SysWOW64\sc.exesc delete cryptsvc2⤵
- Launches sc.exe
PID:3036
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Users\Admin\AppData\Local\Temp\1720453282.dat, ServerMain c:\users\admin\appdata\local\temp\2bd1fb53eaa50768839e2f0af0f28776_jaffacakes118.exe2⤵
- Deletes itself
- Loads dropped DLL
PID:2520
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5d239375a31f89dc6e0bcb23911182c30
SHA113bdbce0d2ca4eca245e96d5b6793968c44d0889
SHA2568280227369f696e6f67f07b3379882f5e2b036c626f800f1c0e130e3f306e31a
SHA512bae8368ede5d7263b0a4e22b801f220cba5ed9858dd0e059c36039e466f1307e24ce78cf1ad91b094cf4e1f5aaf4bd4b173fc15186105410e443a6438d95d53f