Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12/07/2024, 00:33
Behavioral task
behavioral1
Sample
3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
-
Size
165KB
-
MD5
3b54de624a842bbb116c6189c8f94551
-
SHA1
9157e6d1c2b7057f8e352178452bf69f9d479c63
-
SHA256
d6eb57fd34c3a527d60dfa22c2f1850bfdca618f978a4bb319c8b01571eb6ff7
-
SHA512
d606557534d6a409beaedcf5d85cb009d6da332c7ae05351bd2f40667a4e5eadb7e3a492f406f964523d5fdf3506c848a029fa11aee1f62b5f0899aa50a48647
-
SSDEEP
3072:ABGuStDz/yIzfIenQKIsmtLeIAPGn2jS0gPsX8EsV5q7d+JYfvomTQpoutr:AB03/yMfId8GLsjdgPsMEsV47d+SP8oS
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1060 Omnmna.exe 2916 Omnmna.exe -
Loads dropped DLL 2 IoCs
pid Process 2448 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe 1060 Omnmna.exe -
resource yara_rule behavioral1/memory/1928-0-0x0000000000400000-0x0000000000531000-memory.dmp upx behavioral1/memory/1928-9-0x0000000000400000-0x0000000000531000-memory.dmp upx behavioral1/files/0x000d000000014348-11.dat upx behavioral1/memory/1060-17-0x0000000000400000-0x0000000000531000-memory.dmp upx behavioral1/memory/1060-28-0x0000000000400000-0x0000000000531000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Omnmna = "C:\\Users\\Admin\\AppData\\Roaming\\Omnmna.exe" 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Omnmna = "C:\\Users\\Admin\\AppData\\Roaming\\Omnmna.exe" 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1928 set thread context of 2448 1928 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe 30 PID 1060 set thread context of 2916 1060 Omnmna.exe 32 -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Omnmna = "C:\\Users\\Admin\\AppData\\Roaming\\Omnmna.exe" 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2916 Omnmna.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1928 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe 1060 Omnmna.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1928 wrote to memory of 2448 1928 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe 30 PID 1928 wrote to memory of 2448 1928 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe 30 PID 1928 wrote to memory of 2448 1928 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe 30 PID 1928 wrote to memory of 2448 1928 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe 30 PID 1928 wrote to memory of 2448 1928 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe 30 PID 1928 wrote to memory of 2448 1928 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe 30 PID 1928 wrote to memory of 2448 1928 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe 30 PID 1928 wrote to memory of 2448 1928 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe 30 PID 1928 wrote to memory of 2448 1928 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe 30 PID 1928 wrote to memory of 2448 1928 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe 30 PID 2448 wrote to memory of 1060 2448 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe 31 PID 2448 wrote to memory of 1060 2448 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe 31 PID 2448 wrote to memory of 1060 2448 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe 31 PID 2448 wrote to memory of 1060 2448 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe 31 PID 1060 wrote to memory of 2916 1060 Omnmna.exe 32 PID 1060 wrote to memory of 2916 1060 Omnmna.exe 32 PID 1060 wrote to memory of 2916 1060 Omnmna.exe 32 PID 1060 wrote to memory of 2916 1060 Omnmna.exe 32 PID 1060 wrote to memory of 2916 1060 Omnmna.exe 32 PID 1060 wrote to memory of 2916 1060 Omnmna.exe 32 PID 1060 wrote to memory of 2916 1060 Omnmna.exe 32 PID 1060 wrote to memory of 2916 1060 Omnmna.exe 32 PID 1060 wrote to memory of 2916 1060 Omnmna.exe 32 PID 1060 wrote to memory of 2916 1060 Omnmna.exe 32 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Omnmna.exe" 3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2448 -
C:\Users\Admin\AppData\Roaming\Omnmna.exe"C:\Users\Admin\AppData\Roaming\Omnmna.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Users\Admin\AppData\Roaming\Omnmna.exeC:\Users\Admin\AppData\Roaming\Omnmna.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
165KB
MD53b54de624a842bbb116c6189c8f94551
SHA19157e6d1c2b7057f8e352178452bf69f9d479c63
SHA256d6eb57fd34c3a527d60dfa22c2f1850bfdca618f978a4bb319c8b01571eb6ff7
SHA512d606557534d6a409beaedcf5d85cb009d6da332c7ae05351bd2f40667a4e5eadb7e3a492f406f964523d5fdf3506c848a029fa11aee1f62b5f0899aa50a48647