Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
28s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 09:13
Static task
static1
Behavioral task
behavioral1
Sample
341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe
-
Size
692KB
-
MD5
341b77aef07a6db7a0a4435d14f116fe
-
SHA1
8aa6a8878963ee3cf88a0dcd4b6c319f4dd41935
-
SHA256
4052813833a832623f0954f57ddc69290c9444ad1d58fb634531dc36dc3bb92c
-
SHA512
37e83bfe6fe0e12984e8caf8dc4ec16f27e623c1734a2530608725cc39227f0fece374471144a40d24b7ec6529b71fb44858806169b619b46bc0453501c649d1
-
SSDEEP
12288:yYhVRuOgn9xe/ZYjQ8Sme0uAnGj97gLfjYnIqZJ9XaXCIdjLaxWQnM82:3R4n9xs2c0Nw0XxqZzQpxeA
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run audioadg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audioadg.exe" audioadg.exe -
Executes dropped EXE 3 IoCs
pid Process 1160 audioadg.exe 2504 Wmiprwsd.exe 2220 Wmiprwsd.exe -
Loads dropped DLL 4 IoCs
pid Process 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 1160 audioadg.exe 1160 audioadg.exe 2504 Wmiprwsd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audioadg.exe" audioadg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2504 set thread context of 2220 2504 Wmiprwsd.exe 34 -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 1160 audioadg.exe 2504 Wmiprwsd.exe 2504 Wmiprwsd.exe 2504 Wmiprwsd.exe 2504 Wmiprwsd.exe 2504 Wmiprwsd.exe 2504 Wmiprwsd.exe 2504 Wmiprwsd.exe 2504 Wmiprwsd.exe 2504 Wmiprwsd.exe 2504 Wmiprwsd.exe 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 1160 audioadg.exe 2504 Wmiprwsd.exe 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 1160 audioadg.exe 2504 Wmiprwsd.exe 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 1160 audioadg.exe 2504 Wmiprwsd.exe 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 1160 audioadg.exe 2504 Wmiprwsd.exe 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 1160 audioadg.exe 2504 Wmiprwsd.exe 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 1160 audioadg.exe 2504 Wmiprwsd.exe 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 1160 audioadg.exe 2504 Wmiprwsd.exe 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 1160 audioadg.exe 2504 Wmiprwsd.exe 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 1160 audioadg.exe 2504 Wmiprwsd.exe 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 1160 audioadg.exe 2504 Wmiprwsd.exe 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 1160 audioadg.exe 2504 Wmiprwsd.exe 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 1160 audioadg.exe 2504 Wmiprwsd.exe 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 1160 audioadg.exe 2504 Wmiprwsd.exe 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 1160 audioadg.exe 2504 Wmiprwsd.exe 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 1160 audioadg.exe 2504 Wmiprwsd.exe 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 1160 audioadg.exe 2504 Wmiprwsd.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe Token: SeDebugPrivilege 1160 audioadg.exe Token: SeDebugPrivilege 2504 Wmiprwsd.exe Token: SeIncreaseQuotaPrivilege 2220 Wmiprwsd.exe Token: SeSecurityPrivilege 2220 Wmiprwsd.exe Token: SeTakeOwnershipPrivilege 2220 Wmiprwsd.exe Token: SeLoadDriverPrivilege 2220 Wmiprwsd.exe Token: SeSystemProfilePrivilege 2220 Wmiprwsd.exe Token: SeSystemtimePrivilege 2220 Wmiprwsd.exe Token: SeProfSingleProcessPrivilege 2220 Wmiprwsd.exe Token: SeIncBasePriorityPrivilege 2220 Wmiprwsd.exe Token: SeCreatePagefilePrivilege 2220 Wmiprwsd.exe Token: SeBackupPrivilege 2220 Wmiprwsd.exe Token: SeRestorePrivilege 2220 Wmiprwsd.exe Token: SeShutdownPrivilege 2220 Wmiprwsd.exe Token: SeDebugPrivilege 2220 Wmiprwsd.exe Token: SeSystemEnvironmentPrivilege 2220 Wmiprwsd.exe Token: SeChangeNotifyPrivilege 2220 Wmiprwsd.exe Token: SeRemoteShutdownPrivilege 2220 Wmiprwsd.exe Token: SeUndockPrivilege 2220 Wmiprwsd.exe Token: SeManageVolumePrivilege 2220 Wmiprwsd.exe Token: SeImpersonatePrivilege 2220 Wmiprwsd.exe Token: SeCreateGlobalPrivilege 2220 Wmiprwsd.exe Token: 33 2220 Wmiprwsd.exe Token: 34 2220 Wmiprwsd.exe Token: 35 2220 Wmiprwsd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2220 Wmiprwsd.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1708 wrote to memory of 1744 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 30 PID 1708 wrote to memory of 1744 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 30 PID 1708 wrote to memory of 1744 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 30 PID 1708 wrote to memory of 1744 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 30 PID 1708 wrote to memory of 1160 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 31 PID 1708 wrote to memory of 1160 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 31 PID 1708 wrote to memory of 1160 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 31 PID 1708 wrote to memory of 1160 1708 341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe 31 PID 1160 wrote to memory of 2504 1160 audioadg.exe 32 PID 1160 wrote to memory of 2504 1160 audioadg.exe 32 PID 1160 wrote to memory of 2504 1160 audioadg.exe 32 PID 1160 wrote to memory of 2504 1160 audioadg.exe 32 PID 2504 wrote to memory of 2220 2504 Wmiprwsd.exe 34 PID 2504 wrote to memory of 2220 2504 Wmiprwsd.exe 34 PID 2504 wrote to memory of 2220 2504 Wmiprwsd.exe 34 PID 2504 wrote to memory of 2220 2504 Wmiprwsd.exe 34 PID 2504 wrote to memory of 2220 2504 Wmiprwsd.exe 34 PID 2504 wrote to memory of 2220 2504 Wmiprwsd.exe 34 PID 2504 wrote to memory of 2220 2504 Wmiprwsd.exe 34 PID 2504 wrote to memory of 2220 2504 Wmiprwsd.exe 34 PID 2504 wrote to memory of 2220 2504 Wmiprwsd.exe 34 PID 2504 wrote to memory of 2220 2504 Wmiprwsd.exe 34 PID 2504 wrote to memory of 2220 2504 Wmiprwsd.exe 34 PID 2504 wrote to memory of 2220 2504 Wmiprwsd.exe 34 PID 2504 wrote to memory of 2220 2504 Wmiprwsd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\341b77aef07a6db7a0a4435d14f116fe_JaffaCakes118.exe2⤵PID:1744
-
-
C:\Users\Admin\AppData\Local\Temp\System\audioadg.exeC:\Users\Admin\AppData\Local\Temp\System\audioadg.exe2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exeC:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exeC:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2220
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
692KB
MD5341b77aef07a6db7a0a4435d14f116fe
SHA18aa6a8878963ee3cf88a0dcd4b6c319f4dd41935
SHA2564052813833a832623f0954f57ddc69290c9444ad1d58fb634531dc36dc3bb92c
SHA51237e83bfe6fe0e12984e8caf8dc4ec16f27e623c1734a2530608725cc39227f0fece374471144a40d24b7ec6529b71fb44858806169b619b46bc0453501c649d1
-
Filesize
8KB
MD56ac73d462625d27d9f0f599ca1190dea
SHA1746cbcaf898421e361baa72ac5400d6e5d6ef732
SHA256fa35e4d655c8d1eefd9d4bacab0f6d932bd061e23c49503af747161248307f0c
SHA5125789644e331955e2363fd45e45a49bb4266b01ab772d503a8324e4d126ddb2e244297462030a4c63c0088551ef6cac94fa460e4f7ce9f844757afdca4a5d4601