Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
124s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
08/07/2024, 19:28
Behavioral task
behavioral1
Sample
2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe
-
Size
175KB
-
MD5
2d8d1633510a9eb0b8495953e2697461
-
SHA1
cb6f307755eb5130b7b4e092057ea7a0d934726f
-
SHA256
7fa993c16abce154e66fedcc34a1cc425bbd6fb415b18ea62a42c816612f25ed
-
SHA512
da83f74629794e9ff71f7bece9b5b6d00bb0d5467083368af92140fe11225a369a547e8c122aa0fffe896d77db7db8bf6b1ad6f41fb08315103bdc016c07c6cd
-
SSDEEP
3072:9hr1wTT9cHlar+puWV8KsB7dIjxFlihpL3LPje6Per9qMCD6zJK2Uc1jXsZwe6zp:9hWn9FrRo8KiSjxu1LPjerx9JzVUcheQ
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1980-0-0x0000000000400000-0x000000000046D000-memory.dmp upx behavioral1/memory/1980-81-0x0000000000400000-0x000000000046D000-memory.dmp upx -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\H: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\N: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\O: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\S: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\T: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\V: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\W: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\Y: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\G: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\L: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\P: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\Q: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\R: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\U: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\I: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\M: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\J: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\K: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\X: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\Z: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe -
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\svchost.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\dllhost.vir 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\msiexec.vir 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\dllhost.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\searchindexer.vir 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\svchost.vir 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\ehome\ehrecvr.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7408749F-A7C2-45DB-BBB0-C098A0236B12}.crmlog dllhost.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7408749F-A7C2-45DB-BBB0-C098A0236B12}.crmlog dllhost.exe File opened for modification \??\c:\windows\ehome\ehsched.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1980 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe Token: SeRestorePrivilege 2752 msiexec.exe Token: SeTakeOwnershipPrivilege 2752 msiexec.exe Token: SeSecurityPrivilege 2752 msiexec.exe Token: SeManageVolumePrivilege 3064 SearchIndexer.exe Token: 33 3064 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3064 SearchIndexer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1100 SearchProtocolHost.exe 1100 SearchProtocolHost.exe 1100 SearchProtocolHost.exe 1100 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3064 wrote to memory of 1100 3064 SearchIndexer.exe 34 PID 3064 wrote to memory of 1100 3064 SearchIndexer.exe 34 PID 3064 wrote to memory of 1100 3064 SearchIndexer.exe 34 PID 3064 wrote to memory of 2856 3064 SearchIndexer.exe 35 PID 3064 wrote to memory of 2856 3064 SearchIndexer.exe 35 PID 3064 wrote to memory of 2856 3064 SearchIndexer.exe 35 PID 3064 wrote to memory of 780 3064 SearchIndexer.exe 36 PID 3064 wrote to memory of 780 3064 SearchIndexer.exe 36 PID 3064 wrote to memory of 780 3064 SearchIndexer.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Drops file in Windows directory
PID:2080
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Suspicious use of SetWindowsHookEx
PID:1100
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 5162⤵PID:2856
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 5162⤵PID:780
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD57b6ac66ede0afe071d47aa1261ee90ba
SHA12bc61e836bcb3f445d8ac6c2d5d65092a9799be9
SHA2561d336c28b20e2f446d109ed833cd3aa4ceb3142f97d67466b357c7640b51e9b1
SHA512445e79371c2d4707a8e2c7d2c5d19d08779957f9c0dd9ee8223ae1df78cc123ed33ed73ff067ab77464f489ca36fa8201069351e811f3b90aa7ca47fb84766ef