Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 21:27
Static task
static1
Behavioral task
behavioral1
Sample
3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe
-
Size
593KB
-
MD5
3673d5090b77a0b033da84545fda2f0f
-
SHA1
010d2e93a19af30eb6f17052abd855933edc4873
-
SHA256
a6e63d38a8ebe09d0c09b45d7245137f1cdd0e7e9e978997814ea9bd6c33ee33
-
SHA512
05f91a2f9dc112b80bdca6db4ccc907041ad267812d9aa514d513c2d9673b9b4aed48699bf019d2dc95e7101bb9601334d6e17d4f77f7ba2fb85303f3c7349de
-
SSDEEP
12288:a39mSPuqDWEB1l9gvW01XM/f85jsz1+ruUA+lpOxuGzVg7I:ymS2savWoXEqsB+S+lUkGO7I
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2984 setup.exe -
Loads dropped DLL 6 IoCs
pid Process 2028 3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe 2028 3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe 2028 3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe 2028 3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe 2532 MsiExec.exe 2532 MsiExec.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2252 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2028 3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2252 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2252 msiexec.exe Token: SeIncreaseQuotaPrivilege 2252 msiexec.exe Token: SeRestorePrivilege 3040 msiexec.exe Token: SeTakeOwnershipPrivilege 3040 msiexec.exe Token: SeSecurityPrivilege 3040 msiexec.exe Token: SeCreateTokenPrivilege 2252 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2252 msiexec.exe Token: SeLockMemoryPrivilege 2252 msiexec.exe Token: SeIncreaseQuotaPrivilege 2252 msiexec.exe Token: SeMachineAccountPrivilege 2252 msiexec.exe Token: SeTcbPrivilege 2252 msiexec.exe Token: SeSecurityPrivilege 2252 msiexec.exe Token: SeTakeOwnershipPrivilege 2252 msiexec.exe Token: SeLoadDriverPrivilege 2252 msiexec.exe Token: SeSystemProfilePrivilege 2252 msiexec.exe Token: SeSystemtimePrivilege 2252 msiexec.exe Token: SeProfSingleProcessPrivilege 2252 msiexec.exe Token: SeIncBasePriorityPrivilege 2252 msiexec.exe Token: SeCreatePagefilePrivilege 2252 msiexec.exe Token: SeCreatePermanentPrivilege 2252 msiexec.exe Token: SeBackupPrivilege 2252 msiexec.exe Token: SeRestorePrivilege 2252 msiexec.exe Token: SeShutdownPrivilege 2252 msiexec.exe Token: SeDebugPrivilege 2252 msiexec.exe Token: SeAuditPrivilege 2252 msiexec.exe Token: SeSystemEnvironmentPrivilege 2252 msiexec.exe Token: SeChangeNotifyPrivilege 2252 msiexec.exe Token: SeRemoteShutdownPrivilege 2252 msiexec.exe Token: SeUndockPrivilege 2252 msiexec.exe Token: SeSyncAgentPrivilege 2252 msiexec.exe Token: SeEnableDelegationPrivilege 2252 msiexec.exe Token: SeManageVolumePrivilege 2252 msiexec.exe Token: SeImpersonatePrivilege 2252 msiexec.exe Token: SeCreateGlobalPrivilege 2252 msiexec.exe Token: SeCreateTokenPrivilege 2252 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2252 msiexec.exe Token: SeLockMemoryPrivilege 2252 msiexec.exe Token: SeIncreaseQuotaPrivilege 2252 msiexec.exe Token: SeMachineAccountPrivilege 2252 msiexec.exe Token: SeTcbPrivilege 2252 msiexec.exe Token: SeSecurityPrivilege 2252 msiexec.exe Token: SeTakeOwnershipPrivilege 2252 msiexec.exe Token: SeLoadDriverPrivilege 2252 msiexec.exe Token: SeSystemProfilePrivilege 2252 msiexec.exe Token: SeSystemtimePrivilege 2252 msiexec.exe Token: SeProfSingleProcessPrivilege 2252 msiexec.exe Token: SeIncBasePriorityPrivilege 2252 msiexec.exe Token: SeCreatePagefilePrivilege 2252 msiexec.exe Token: SeCreatePermanentPrivilege 2252 msiexec.exe Token: SeBackupPrivilege 2252 msiexec.exe Token: SeRestorePrivilege 2252 msiexec.exe Token: SeShutdownPrivilege 2252 msiexec.exe Token: SeDebugPrivilege 2252 msiexec.exe Token: SeAuditPrivilege 2252 msiexec.exe Token: SeSystemEnvironmentPrivilege 2252 msiexec.exe Token: SeChangeNotifyPrivilege 2252 msiexec.exe Token: SeRemoteShutdownPrivilege 2252 msiexec.exe Token: SeUndockPrivilege 2252 msiexec.exe Token: SeSyncAgentPrivilege 2252 msiexec.exe Token: SeEnableDelegationPrivilege 2252 msiexec.exe Token: SeManageVolumePrivilege 2252 msiexec.exe Token: SeImpersonatePrivilege 2252 msiexec.exe Token: SeCreateGlobalPrivilege 2252 msiexec.exe Token: SeCreateTokenPrivilege 2252 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2252 msiexec.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2028 wrote to memory of 2984 2028 3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe 30 PID 2028 wrote to memory of 2984 2028 3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe 30 PID 2028 wrote to memory of 2984 2028 3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe 30 PID 2028 wrote to memory of 2984 2028 3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe 30 PID 2028 wrote to memory of 2984 2028 3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe 30 PID 2028 wrote to memory of 2984 2028 3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe 30 PID 2028 wrote to memory of 2984 2028 3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe 30 PID 2984 wrote to memory of 2252 2984 setup.exe 31 PID 2984 wrote to memory of 2252 2984 setup.exe 31 PID 2984 wrote to memory of 2252 2984 setup.exe 31 PID 2984 wrote to memory of 2252 2984 setup.exe 31 PID 2984 wrote to memory of 2252 2984 setup.exe 31 PID 2984 wrote to memory of 2252 2984 setup.exe 31 PID 2984 wrote to memory of 2252 2984 setup.exe 31 PID 3040 wrote to memory of 2532 3040 msiexec.exe 33 PID 3040 wrote to memory of 2532 3040 msiexec.exe 33 PID 3040 wrote to memory of 2532 3040 msiexec.exe 33 PID 3040 wrote to memory of 2532 3040 msiexec.exe 33 PID 3040 wrote to memory of 2532 3040 msiexec.exe 33 PID 3040 wrote to memory of 2532 3040 msiexec.exe 33 PID 3040 wrote to memory of 2532 3040 msiexec.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\luiCDBB.tmp\setup.exe"C:\Users\Admin\AppData\Local\Temp\luiCDBB.tmp\setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\luiCDBB.tmp\SP-Fantasy_Installer.msi"3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2252
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7DFCA485B2D0A0A1EF29153C5F384D86 C2⤵
- Loads dropped DLL
PID:2532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222KB
MD5fb4ed24de182178cac3cd3870a4ba5b6
SHA138b168fbe97b72a5de5eaef16535ea1aed964e1b
SHA2565070b4cdf7e2f95535f3340a3a0d9bce496478d0bd445b470dd67278a910c578
SHA51203ffa685a28333cc7d8eb4a0fdd8c5dce85ca1126bcdefebda83a91586b98ae559d56074b943a6df0ec011eaa58b6841026ffb8b42e08b74351b0118011d3c9a
-
Filesize
524KB
MD5149c5470d721e646952cea819487ff28
SHA15e6ee0a902135f80aea5adace0ea07c03cb82b4e
SHA256f8ca4710cf343b7afe9fd6003a8387374a709feb5929f7bc0ff54c5cea5148b7
SHA512a2cbf9418d207d8321050cbef4fde3900f9b857441f5e22f400a7eadc948c0ee421946e0208af5761ba34f6b2e58c52f7fe632a22cc487c261c577d4747b5cc4
-
Filesize
366KB
MD5b07a06446303767f1c8c26bc1ef83baf
SHA194aa8c6ddd5f6e96867e997f150c63ebf1fc0019
SHA256349df2da098acb773284ebf50503cab096c949cf4bb63d75e96d75bed7937564
SHA512be1592432745c66e7c5eef56dd452ca32dd9e461eb7522cd3e58a2dde8f4341c46aa2fa44be1a72151e259dd2fd7cb246091040e05486a5ee5f042077dd234a4