Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 16:20
Static task
static1
Behavioral task
behavioral1
Sample
357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe
-
Size
147KB
-
MD5
357a71bc43621cd13d8019d8eab8321e
-
SHA1
7ba961decbab63775e375fe476d2678caebee4fd
-
SHA256
c05aaf0cb3982fac7c2fc589bc9504e1ad660294a5bf2a9e3b9b2717416c8602
-
SHA512
6943b1aca8fd0c93a787ec8b3e781984436f1463cc3e7dde81667666569cb66b9b896b255553eee36c7bc82fabeb900fbb89fcbd1c7950d64accc5ffc2cc1846
-
SSDEEP
3072:tOCn1rixFxB2MtsHQvjcPs1+nKYkdoqrhyK4gPVQDr9IF2q27iR1+aJe1mgawzx+:tOCn1rifm+sujcPsInKTtPVQGF2q2OR5
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts tsrv.exe -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 2660 tsrv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tsrv = "C:\\Windows\\tsrv.exe s" tsrv.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\msji449c14b7.dll tsrv.exe File created C:\Windows\SysWOW64\cmut449c14b7.dll tsrv.exe File created C:\Windows\SysWOW64\hpzl449c14b7.exe tsrv.exe File opened for modification C:\Windows\SysWOW64\4CD8.tmp tsrv.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\tsrv.s tsrv.exe File created C:\Windows\tsrv.exe 357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe File opened for modification C:\Windows\tsrv.exe 357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe File created C:\Windows\tsrv.dll tsrv.exe File opened for modification C:\Windows\tsrv.wax tsrv.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2756 notepad.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2660 tsrv.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2660 2644 357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2660 2644 357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2660 2644 357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2660 2644 357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2756 2644 357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe 31 PID 2644 wrote to memory of 2756 2644 357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe 31 PID 2644 wrote to memory of 2756 2644 357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe 31 PID 2644 wrote to memory of 2756 2644 357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\tsrv.exeC:\Windows\tsrv.exe s2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2660
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\System32\notepad.exe C:\Users\Admin\AppData\Local\Temp\252D.tmp2⤵
- Opens file in notepad (likely ransom note)
PID:2756
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1AppInit DLLs
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5bd174a5a29b0f2089bc617a67173f652
SHA1832fd0f92a65d4d2da8d3960299e8266426002a0
SHA256c6b0203adda8656526fb6d647daf9bfb23ada22ffc25c10dd4b11f802f012d24
SHA51254694eb9208bab3e932fcf582997d2159559f1e05eb1d2d33324535f66a9a990dfb4e959c6efec34a30955c1807aa3d38b17b1bf3a833704ede69ebf6efa39ee
-
Filesize
147KB
MD5357a71bc43621cd13d8019d8eab8321e
SHA17ba961decbab63775e375fe476d2678caebee4fd
SHA256c05aaf0cb3982fac7c2fc589bc9504e1ad660294a5bf2a9e3b9b2717416c8602
SHA5126943b1aca8fd0c93a787ec8b3e781984436f1463cc3e7dde81667666569cb66b9b896b255553eee36c7bc82fabeb900fbb89fcbd1c7950d64accc5ffc2cc1846
-
Filesize
3KB
MD555bdda728833660485c58e09e5204bac
SHA1cf1035bf2c757d5e4c2a6e094ee3bed3f87fbfe8
SHA2567e0bdaa325d01c142651f8f10391a30e067256a88780261af991255dc87ab4eb
SHA5123637d45ac9865c8eade46713fd0172f9d35d3ad9894eb48bb9c441132e918fd93164f9e3b233e2cf5ceb4c4066aa07ecb39a4024592def1a34cf56cc1353babb
-
Filesize
240B
MD5b0ef5d4e0f2dcc800a789479b9309952
SHA109c1fd646b05fd07d67a9f74b2b85608552d657e
SHA256576b6aa0c32569f2e4d8f83ad65c61e4371775e177450e36edeeddde25b23e68
SHA51257a407bb29a96afe7282ded3ead5b33f1d5c19fe46be5bc15780781fb27aafbd4cb3d1568be8bebfb6694429e4b4dd53037905002f67fd5a091a80de89878b57
-
Filesize
680B
MD515e64d0ad7d79bb7101929b1721b5685
SHA1a61974413b6ed6947be982b6a94aff0749e30422
SHA25646f28afb06ef8f693406228e9c2aec680df81daf84d982b578e5b7ad7fef7fda
SHA51256269a50455f56b5e56a77e4f756290f6a085c782ddef84279699ad706c796aa3b6645926ca48964cf86044ac7e995dac9c39b33fe49029143501aef762b87f0
-
Filesize
1KB
MD5db22c67f40d581dfa5de962ce72bff41
SHA165f41151bca8ceb1f11e92963118e9cbc9486c74
SHA2562c81a4c846b050a27b91fbd2c299a2301bf7f76b82954adcb292910f1ef51bd0
SHA512c8e7ac853869cf5a665c7c1da3214503933d8571cdcb9601288be9d5e039e525d8b16a26ee199d8ce4ee361f46c05579fb4baf07f97db995c863edc25d3ce0be
-
Filesize
1KB
MD5592414500eecd8b2e9fada8fb73cb9f5
SHA10564606125a56c9526b1e3676050983d267d1198
SHA256376832bac902f44040f75b33b7efb38dd02a576ea2d98834c8913aa44ab063a4
SHA5128dab0a691de35897416c85f447d9153879c37387154c2879d8d186251f19558ceae31df5dd5c6878423aedfea3b5575c04d8bf1fbf42a4dcf5e4bf66a9e5d5f8
-
Filesize
2KB
MD540efe64910cbae16b1e6c9105075b337
SHA11e3fe7890863d3c46f4e2f65ffb452664e35a72e
SHA25695bf3c36f8b9c956cd78ddb8be4107351a23032c34b2cec2b5bdc87da001d416
SHA512e60e142f946d130971df5a13ebb73d5de1bbc74c105ac7827c234c94d5bbaef6406f425ff5df50360cda08733c5c6686982389ea92b1e732634b27aeaaf7034c
-
Filesize
2KB
MD5dbe2fcd767dce69ff7f8705062f60451
SHA1f04dd3c43d64db1979c1ca9885fac3d160b0c301
SHA256cfd84a42846392794a64469c3104c55f1332442a66a5414cbbb738b806d64077
SHA51268eed67b1fc9374ada57532318978abe28d78034c87574d5280a24eecd0b30d3fbe358d1f8a7b5288de39d200555c34b2583989def959dc4aee6bad8dff7187d