Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 16:26
Static task
static1
Behavioral task
behavioral1
Sample
357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe
-
Size
129KB
-
MD5
357f183ca1741b4c4eb096fc1581db19
-
SHA1
d27ea09a082a3bfca0b7e2182c17588f0a739d29
-
SHA256
02d6f0eb267f667994da87098c1fb942d07a9487d72a150f2ea9b5e02d3b793a
-
SHA512
7399fb82fd49f1f60267887ad4a0437e3aa06daa9d6b056f16bfd1d5d2014f6245375a46bc0041400b7e4f8c1560be37f069158d0b858d5264c2ba76f0df8fcc
-
SSDEEP
3072:ZKeYu+tguObk59eIX1AmUQLgF7A9vKBvc:ZfYHX9e41wQgF89X
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3052 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2328 myutu.exe -
Loads dropped DLL 2 IoCs
pid Process 2448 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe 2448 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6D4A7724-61FD-61CA-F16D-244D6E75D46C} = "C:\\Users\\Admin\\AppData\\Roaming\\Ynzu\\myutu.exe" myutu.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2448 set thread context of 3052 2448 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe 31 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe 2328 myutu.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSecurityPrivilege 2448 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe Token: SeSecurityPrivilege 2448 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe Token: SeSecurityPrivilege 2448 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2448 wrote to memory of 2328 2448 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe 30 PID 2448 wrote to memory of 2328 2448 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe 30 PID 2448 wrote to memory of 2328 2448 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe 30 PID 2448 wrote to memory of 2328 2448 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe 30 PID 2328 wrote to memory of 1136 2328 myutu.exe 19 PID 2328 wrote to memory of 1136 2328 myutu.exe 19 PID 2328 wrote to memory of 1136 2328 myutu.exe 19 PID 2328 wrote to memory of 1136 2328 myutu.exe 19 PID 2328 wrote to memory of 1136 2328 myutu.exe 19 PID 2328 wrote to memory of 1248 2328 myutu.exe 20 PID 2328 wrote to memory of 1248 2328 myutu.exe 20 PID 2328 wrote to memory of 1248 2328 myutu.exe 20 PID 2328 wrote to memory of 1248 2328 myutu.exe 20 PID 2328 wrote to memory of 1248 2328 myutu.exe 20 PID 2328 wrote to memory of 1300 2328 myutu.exe 21 PID 2328 wrote to memory of 1300 2328 myutu.exe 21 PID 2328 wrote to memory of 1300 2328 myutu.exe 21 PID 2328 wrote to memory of 1300 2328 myutu.exe 21 PID 2328 wrote to memory of 1300 2328 myutu.exe 21 PID 2328 wrote to memory of 1776 2328 myutu.exe 23 PID 2328 wrote to memory of 1776 2328 myutu.exe 23 PID 2328 wrote to memory of 1776 2328 myutu.exe 23 PID 2328 wrote to memory of 1776 2328 myutu.exe 23 PID 2328 wrote to memory of 1776 2328 myutu.exe 23 PID 2328 wrote to memory of 2448 2328 myutu.exe 29 PID 2328 wrote to memory of 2448 2328 myutu.exe 29 PID 2328 wrote to memory of 2448 2328 myutu.exe 29 PID 2328 wrote to memory of 2448 2328 myutu.exe 29 PID 2328 wrote to memory of 2448 2328 myutu.exe 29 PID 2448 wrote to memory of 3052 2448 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe 31 PID 2448 wrote to memory of 3052 2448 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe 31 PID 2448 wrote to memory of 3052 2448 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe 31 PID 2448 wrote to memory of 3052 2448 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe 31 PID 2448 wrote to memory of 3052 2448 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe 31 PID 2448 wrote to memory of 3052 2448 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe 31 PID 2448 wrote to memory of 3052 2448 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe 31 PID 2448 wrote to memory of 3052 2448 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe 31 PID 2448 wrote to memory of 3052 2448 357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe 31 PID 2328 wrote to memory of 2020 2328 myutu.exe 33 PID 2328 wrote to memory of 2020 2328 myutu.exe 33 PID 2328 wrote to memory of 2020 2328 myutu.exe 33 PID 2328 wrote to memory of 2020 2328 myutu.exe 33 PID 2328 wrote to memory of 2020 2328 myutu.exe 33 PID 2328 wrote to memory of 2100 2328 myutu.exe 34 PID 2328 wrote to memory of 2100 2328 myutu.exe 34 PID 2328 wrote to memory of 2100 2328 myutu.exe 34 PID 2328 wrote to memory of 2100 2328 myutu.exe 34 PID 2328 wrote to memory of 2100 2328 myutu.exe 34
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1136
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1248
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Roaming\Ynzu\myutu.exe"C:\Users\Admin\AppData\Roaming\Ynzu\myutu.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2328
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5d24e9bc.bat"3⤵
- Deletes itself
PID:3052
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1776
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2020
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD557a7e211f223ed77cc013b2f2ad2b001
SHA1c0ebf1c2aaa6e8d5aeeafc0c90e4a9dbbbf98077
SHA2566d72c376eacbd0a9d04aaf632d3efbf4d1c4c325b85e055b4d38fd01b71f7bad
SHA51296c8b7822d3f6e14043698023044d95bc2b219b8be11a5aaefff85fe58d75d2347cf4d9b712b2edae1fb74bc920765157fe8e9054bba441e3c9069f632bcc275
-
Filesize
380B
MD56c87d9c3c872017b56a1e5d71e8e8be1
SHA175d4ed8ffbcab6745383603193fe201321469655
SHA2562c6dc8d1e77dd42b31acd345e63cfcba1befe7364dd0a758cb2fb473fc031b7a
SHA512f81dbff7106bc6bf428e7abd575b622694da17f0edfb9f75fe08fafefc7f66cbbd91d1268b52b5357588ca9922ee7b69b0a4237d06225ae16606e161aa48cd7a
-
Filesize
129KB
MD5cf08f12d69e1880ac2c17813e49f6e02
SHA1e09480cd5e4663e410fe0efd034bda8bcc250b8f
SHA256939a3ff7b24c585dba6821699ac29412d904c5948e726caa28d058bfe832b399
SHA512caf6bfc6ba6db3b8dd692a2bf3816b9fdec2757a532f4c885e83a172317bbc97d71839bf9a6db2cbc0fbe27b29d2d31a35c318f341eda6065bbffe96d2e1d365