Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 00:03
Static task
static1
Behavioral task
behavioral1
Sample
32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
32880b095d8152d486a3de42cbd65d35
-
SHA1
248a3c0787fda926ef4bc03110901b9fcbf69ac7
-
SHA256
ca74653b78a425c49ba25d0ed0e979dd28e401fefbb4f8ebf8de6cd5294b48ed
-
SHA512
a7f481dfda74fedde936b89a960aaf3f97fedef9c960a37bda53f68c2acaf362f6b8c18e6f02f3d0e1eb7dbd7271c0ba751a33db7de93db54118f47eb93c550f
-
SSDEEP
12288:aRVBjal9FDNtJdk88+xx0DqXJkwB0ogFnpo+1HyzxpuZUK/ubz9K7AD2/ah0mChq:qXj2ftP6yS61LCRm4Mb401EhZbcgKUb+
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2068 install.exe 2316 trade hack v1825.exe 2128 isass.exe -
Loads dropped DLL 16 IoCs
pid Process 332 32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe 2068 install.exe 2068 install.exe 2068 install.exe 2068 install.exe 2068 install.exe 2068 install.exe 2068 install.exe 2316 trade hack v1825.exe 2316 trade hack v1825.exe 2316 trade hack v1825.exe 2128 isass.exe 2128 isass.exe 2128 isass.exe 2128 isass.exe 2316 trade hack v1825.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe \"" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2848 reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2068 install.exe 2128 isass.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2068 install.exe Token: SeIncBasePriorityPrivilege 2068 install.exe Token: SeIncBasePriorityPrivilege 2068 install.exe Token: SeIncBasePriorityPrivilege 2128 isass.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2316 trade hack v1825.exe 2128 isass.exe 2316 trade hack v1825.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 332 wrote to memory of 2068 332 32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe 31 PID 332 wrote to memory of 2068 332 32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe 31 PID 332 wrote to memory of 2068 332 32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe 31 PID 332 wrote to memory of 2068 332 32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe 31 PID 332 wrote to memory of 2068 332 32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe 31 PID 332 wrote to memory of 2068 332 32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe 31 PID 332 wrote to memory of 2068 332 32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe 31 PID 2068 wrote to memory of 2128 2068 install.exe 32 PID 2068 wrote to memory of 2128 2068 install.exe 32 PID 2068 wrote to memory of 2128 2068 install.exe 32 PID 2068 wrote to memory of 2128 2068 install.exe 32 PID 2068 wrote to memory of 2128 2068 install.exe 32 PID 2068 wrote to memory of 2128 2068 install.exe 32 PID 2068 wrote to memory of 2128 2068 install.exe 32 PID 2068 wrote to memory of 2316 2068 install.exe 33 PID 2068 wrote to memory of 2316 2068 install.exe 33 PID 2068 wrote to memory of 2316 2068 install.exe 33 PID 2068 wrote to memory of 2316 2068 install.exe 33 PID 2068 wrote to memory of 2316 2068 install.exe 33 PID 2068 wrote to memory of 2316 2068 install.exe 33 PID 2068 wrote to memory of 2316 2068 install.exe 33 PID 2128 wrote to memory of 2692 2128 isass.exe 34 PID 2128 wrote to memory of 2692 2128 isass.exe 34 PID 2128 wrote to memory of 2692 2128 isass.exe 34 PID 2128 wrote to memory of 2692 2128 isass.exe 34 PID 2128 wrote to memory of 2692 2128 isass.exe 34 PID 2128 wrote to memory of 2692 2128 isass.exe 34 PID 2128 wrote to memory of 2692 2128 isass.exe 34 PID 2692 wrote to memory of 2676 2692 cmd.exe 36 PID 2692 wrote to memory of 2676 2692 cmd.exe 36 PID 2692 wrote to memory of 2676 2692 cmd.exe 36 PID 2692 wrote to memory of 2676 2692 cmd.exe 36 PID 2692 wrote to memory of 2676 2692 cmd.exe 36 PID 2692 wrote to memory of 2676 2692 cmd.exe 36 PID 2692 wrote to memory of 2676 2692 cmd.exe 36 PID 2676 wrote to memory of 2848 2676 cmd.exe 37 PID 2676 wrote to memory of 2848 2676 cmd.exe 37 PID 2676 wrote to memory of 2848 2676 cmd.exe 37 PID 2676 wrote to memory of 2848 2676 cmd.exe 37 PID 2676 wrote to memory of 2848 2676 cmd.exe 37 PID 2676 wrote to memory of 2848 2676 cmd.exe 37 PID 2676 wrote to memory of 2848 2676 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Users\Admin\AppData\Local\Temp\install.exeC:\Users\Admin\AppData\Local\Temp\install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\isass.exeC:\Users\Admin\AppData\Local\isass.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\cmd.execmd /c setup.bat4⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f5⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f6⤵
- Adds Run key to start application
- Modifies registry key
PID:2848
-
-
-
-
-
C:\Users\Admin\AppData\Local\trade hack v1825.exe"C:\Users\Admin\AppData\Local\trade hack v1825.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2316
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143B
MD5330d9a81f808b287b999c76c1d932ed6
SHA195146f6f084c39395e2fae892af065e85fddb8d1
SHA2564e2ba5afae8aedfb7664f479ff30667dbabee99f63c922206df98ff56456a03f
SHA5124abd3d3c6b40ae046366604fdfabdc2c97a54cd4c4046452014fb1087353d216b2920650cc2d147fd6c1a79fd7d73d7cd46a8ada0a5c70de70b87b480034e812
-
Filesize
114KB
MD522367d3925d0ce479e26b4bfffd981af
SHA151927129412bb0dc40c70edea8564018d6cdc9c1
SHA256605531328588d61ce66fbc099109d42d616b1d9d7857a6e6ef1d8633d841d894
SHA51205fcf3d06c1be0b8809a58b5c2410a31f41d78ea18f5022b02ed6e768433628e2267303c8a7ad78b992d8f68cce45478e835d4f8b1ea85b72de97eb812c48527
-
Filesize
750KB
MD52aaddeb3be2ace2f08c6da6e05e2d935
SHA1a88ad8a2937c6ca60d5af0a0681cb9339e09fd0f
SHA2562aedb4e3f7d2ad311ef217734a4d0e99e6c7310c7469c25bfbee85e7cf153295
SHA512bc4e6cceb4b9d68b9fdb3375fb6cbfd93179dded26d9d1d2060bd1ebe03802ae613303a64337790af9b86091010337cba5243c4cbc740be8972be534c7e539c8
-
Filesize
238KB
MD57b4c2a53c459c513b9577666592ea527
SHA1bee4c401988641187512311c6d57f5a35964473a
SHA256a53586432386bd588e9fdc74dbfc3b1905c35b4cf09e2359096bef697c57f534
SHA51217860b50a28294dc1605ef7c26cd2f652447caa6adc1b78de54f2e05fcff3457c8ca0a557342c3089a3fc661f632cc483272c1b3340860ee6ca22978c8d7c2ac
-
Filesize
20KB
MD5ae859471a470989c488f7e913cc9f088
SHA1ba5a876cf34d892064aec35bb884722ea73551d5
SHA256f727397f95f6f1bd80ca1f8c28bc397fbc33935286d6001d48a572034e5dd44b
SHA51206199925c0daa9b56066dfae681e03ce473859bb143087a6323edfd504970c5fe7cb03d4d3149b1e947cee4faf9eeab18b0d9cedb63fdd5cc8bb37632add1222