Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12/07/2024, 09:48
Static task
static1
Behavioral task
behavioral1
Sample
3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe
-
Size
170KB
-
MD5
3ce1ae2605aa800c205ef63a45ffdbfa
-
SHA1
8b592b4413cfa168cd704d9943812ffb0b941430
-
SHA256
87742fa4d67a5d142e77dbeda2cc02bd2a975bf543ea0505045b096a82068c93
-
SHA512
25cfd395b022f1216eac7735c6dbc973e388a812a7e710296f194a3018cf40abe459b8bfcecfba652de1f73d5312ad556ac4ab5978354a919ccda15953b96cf8
-
SSDEEP
3072:8OPTvYsKQrML6dVuamswMeONJZFoC3KwHaxcFjgny86g8jXBu:8O7YENdVutswMZF5KwHaxCwy86ZBu
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2876 KB01061861.exe 2884 kb01061861.exe -
Loads dropped DLL 6 IoCs
pid Process 2716 3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe 2716 3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe 2876 KB01061861.exe 2804 WerFault.exe 2804 WerFault.exe 2804 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\KB01061861.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\KB01061861.exe\"" kb01061861.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 560 set thread context of 2716 560 3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe 29 PID 2876 set thread context of 2884 2876 KB01061861.exe 34 -
Program crash 2 IoCs
pid pid_target Process procid_target 2740 560 WerFault.exe 28 2804 2876 WerFault.exe 32 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2884 kb01061861.exe 2884 kb01061861.exe 2740 WerFault.exe 2740 WerFault.exe 2740 WerFault.exe 2740 WerFault.exe 2740 WerFault.exe 2740 WerFault.exe 2740 WerFault.exe 2740 WerFault.exe 2740 WerFault.exe 2740 WerFault.exe 2740 WerFault.exe 2740 WerFault.exe 2740 WerFault.exe 2804 WerFault.exe 2804 WerFault.exe 2804 WerFault.exe 2804 WerFault.exe 2804 WerFault.exe 2804 WerFault.exe 2804 WerFault.exe 2804 WerFault.exe 2804 WerFault.exe 2804 WerFault.exe 2804 WerFault.exe 2804 WerFault.exe 2804 WerFault.exe 2804 WerFault.exe 2804 WerFault.exe 2804 WerFault.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe 2884 kb01061861.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2804 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeSecurityPrivilege 2884 kb01061861.exe Token: SeSecurityPrivilege 2740 WerFault.exe Token: SeDebugPrivilege 2740 WerFault.exe Token: SeSecurityPrivilege 2844 cmd.exe Token: SeSecurityPrivilege 2876 KB01061861.exe Token: SeSecurityPrivilege 2804 WerFault.exe Token: SeDebugPrivilege 2804 WerFault.exe Token: SeSecurityPrivilege 560 3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 560 wrote to memory of 2716 560 3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe 29 PID 560 wrote to memory of 2716 560 3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe 29 PID 560 wrote to memory of 2716 560 3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe 29 PID 560 wrote to memory of 2716 560 3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe 29 PID 560 wrote to memory of 2716 560 3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe 29 PID 560 wrote to memory of 2716 560 3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe 29 PID 560 wrote to memory of 2716 560 3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe 29 PID 560 wrote to memory of 2716 560 3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe 29 PID 560 wrote to memory of 2716 560 3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe 29 PID 560 wrote to memory of 2716 560 3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe 29 PID 560 wrote to memory of 2716 560 3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe 29 PID 560 wrote to memory of 2740 560 3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe 30 PID 560 wrote to memory of 2740 560 3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe 30 PID 560 wrote to memory of 2740 560 3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe 30 PID 560 wrote to memory of 2740 560 3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2844 2716 3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe 31 PID 2716 wrote to memory of 2844 2716 3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe 31 PID 2716 wrote to memory of 2844 2716 3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe 31 PID 2716 wrote to memory of 2844 2716 3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe 31 PID 2716 wrote to memory of 2876 2716 3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe 32 PID 2716 wrote to memory of 2876 2716 3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe 32 PID 2716 wrote to memory of 2876 2716 3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe 32 PID 2716 wrote to memory of 2876 2716 3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe 32 PID 2876 wrote to memory of 2884 2876 KB01061861.exe 34 PID 2876 wrote to memory of 2884 2876 KB01061861.exe 34 PID 2876 wrote to memory of 2884 2876 KB01061861.exe 34 PID 2876 wrote to memory of 2884 2876 KB01061861.exe 34 PID 2876 wrote to memory of 2884 2876 KB01061861.exe 34 PID 2876 wrote to memory of 2884 2876 KB01061861.exe 34 PID 2876 wrote to memory of 2884 2876 KB01061861.exe 34 PID 2876 wrote to memory of 2884 2876 KB01061861.exe 34 PID 2876 wrote to memory of 2884 2876 KB01061861.exe 34 PID 2876 wrote to memory of 2884 2876 KB01061861.exe 34 PID 2876 wrote to memory of 2884 2876 KB01061861.exe 34 PID 2876 wrote to memory of 2804 2876 KB01061861.exe 35 PID 2876 wrote to memory of 2804 2876 KB01061861.exe 35 PID 2876 wrote to memory of 2804 2876 KB01061861.exe 35 PID 2876 wrote to memory of 2804 2876 KB01061861.exe 35 PID 2884 wrote to memory of 560 2884 kb01061861.exe 28 PID 2884 wrote to memory of 2740 2884 kb01061861.exe 30 PID 2884 wrote to memory of 2844 2884 kb01061861.exe 31 PID 2884 wrote to memory of 2876 2884 kb01061861.exe 32 PID 2884 wrote to memory of 2804 2884 kb01061861.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3ce1ae2605aa800c205ef63a45ffdbfa_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560 -
\??\c:\users\admin\appdata\local\temp\3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe"c:\users\admin\appdata\local\temp\3ce1ae2605aa800c205ef63a45ffdbfa_jaffacakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\exp2194.tmp.bat"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Users\Admin\AppData\Roaming\KB01061861.exe"C:\Users\Admin\AppData\Roaming\KB01061861.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\users\admin\appdata\roaming\kb01061861.exe"c:\users\admin\appdata\roaming\kb01061861.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1444⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 1442⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
286B
MD52c1f763190eadd10dc70f8a550f205bf
SHA1b116451ca1cd74040a3aeb7ba9f4ce63b394a0dc
SHA2561a78a34662fb41d4c4087bc4dccb57319955ae470da07652d25842b3a9ee2105
SHA512f60b8c0ee2359e1845ab2b162b81d3f760e86a4583fa6e568dcdd1bd9ba0a1c1c0b3d1bf2ce7fb6562a97ce5177a0de50ea3a9b49c66b7f05598d50f31e219ed
-
Filesize
170KB
MD53ce1ae2605aa800c205ef63a45ffdbfa
SHA18b592b4413cfa168cd704d9943812ffb0b941430
SHA25687742fa4d67a5d142e77dbeda2cc02bd2a975bf543ea0505045b096a82068c93
SHA51225cfd395b022f1216eac7735c6dbc973e388a812a7e710296f194a3018cf40abe459b8bfcecfba652de1f73d5312ad556ac4ab5978354a919ccda15953b96cf8