Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09/07/2024, 00:12 UTC
Behavioral task
behavioral1
Sample
2e54cc4048d90189f67eb165881b9078_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2e54cc4048d90189f67eb165881b9078_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2e54cc4048d90189f67eb165881b9078_JaffaCakes118.exe
-
Size
98KB
-
MD5
2e54cc4048d90189f67eb165881b9078
-
SHA1
ec661d97867d039cf2caf438e9bdcbce5ebf215d
-
SHA256
c4e4c92c95c9655a8473627d06696463824feb7e7eb956b772f597ede4a29e0e
-
SHA512
65bb3cd0329bc650deade336a53c4f2ac318245915614aa7da82d40aa0580252b9642aae6fc28c0c6d0f564eb8fbf86e6ed7c090190eacb032bb2a260734428e
-
SSDEEP
3072:FyXZfJF4pwOe9Pnc+m/ehnS6eNi1vCJwnkUc:F+JF4pwOmhhS6Fnk
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515} svcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515}\StubPath = "C:\\windows\\svcr.exe" svcr.exe -
Executes dropped EXE 3 IoCs
pid Process 2196 svcr.exe 7564 clb_injector.exe 7632 svcr32.exe -
resource yara_rule behavioral1/memory/1908-0-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/1908-1564-0x0000000000400000-0x0000000000461000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe" svcr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe" svcr32.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\clb_injector.exe 2e54cc4048d90189f67eb165881b9078_JaffaCakes118.exe File created C:\Windows\svcr.exe clb_injector.exe File created C:\Windows\svcr32.exe clb_injector.exe File opened for modification C:\Windows\svcr.exe svcr32.exe File created C:\Windows\svcr.exe svcr32.exe File created C:\Windows\svcr.exe 2e54cc4048d90189f67eb165881b9078_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2196 svcr.exe 7632 svcr32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2196 svcr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1908 wrote to memory of 2196 1908 2e54cc4048d90189f67eb165881b9078_JaffaCakes118.exe 30 PID 1908 wrote to memory of 2196 1908 2e54cc4048d90189f67eb165881b9078_JaffaCakes118.exe 30 PID 1908 wrote to memory of 2196 1908 2e54cc4048d90189f67eb165881b9078_JaffaCakes118.exe 30 PID 1908 wrote to memory of 2196 1908 2e54cc4048d90189f67eb165881b9078_JaffaCakes118.exe 30 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21 PID 2196 wrote to memory of 1192 2196 svcr.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\2e54cc4048d90189f67eb165881b9078_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2e54cc4048d90189f67eb165881b9078_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\svcr.exe"C:\Windows\svcr.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
-
-
C:\Windows\clb_injector.exe"C:\Windows\clb_injector.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:7564 -
C:\Windows\svcr32.exe"C:\Windows\svcr32.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:7632
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD594c7acc59d8965d53f427f9ab9cad052
SHA19812a93676232d07638bcbab87694294c2e55ade
SHA256797b0dfbbd2fcf0b621c576647bd4c2396352ec5baab261f3c409d75fca14341
SHA512dccb40b90e7d16865228575a4747ba1946fb30226cad63b9bcb388bdb526d64b965d2e4698ecef83d241519a9fd8effff6d176139ec4a6185f967f557bf1547d
-
Filesize
134KB
MD5854db12fdc28dfe712aa9005f8039341
SHA19d0ee1d9e3d35a0bf607efa172de155202ef9404
SHA256c31cd269c069f2ec235e979175e6f24af0fa44ba4bdbea1a938ee4a52ec4258d
SHA5123ee61806ca88ef720604e5985c3d52c43770b5a75b7a833102176ff1f79753b12547368f888b62d8599673058c007f143ffcd3eda0d8c841227eeaf49276444c