Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13/07/2024, 09:25
Behavioral task
behavioral1
Sample
411a4a7d91a470f004c1d785320e9753_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
411a4a7d91a470f004c1d785320e9753_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
411a4a7d91a470f004c1d785320e9753_JaffaCakes118.exe
-
Size
29KB
-
MD5
411a4a7d91a470f004c1d785320e9753
-
SHA1
75e39c62e04fa6a97ea54794b4d3f9c24cc61ebd
-
SHA256
0b24337084608878194c71a3dbf40a06e457b61fad024dd2fb0bfb6ad571073c
-
SHA512
00f44891cda68af23010349568fb2b59150626a352b9e6cd6a2ee02f78ff25a0afdc2aa18679ed44aa288e980cfd4fdba2e743a58157876094dcd03759875f7f
-
SSDEEP
768:tQbuQRy2UjmUndnlTttxDn+3jiSkjRY6AB7kKfYoJ+ifBEewj:QuQRylaUDTDxDXjy6AB7koYy23
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" upkookuk-ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" upkookuk-ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" upkookuk-ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" upkookuk-ced.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{454C5A59-5054-4656-454C-5A5950544656}\StubPath = "C:\\Windows\\system32\\ulsepop.exe" upkookuk-ced.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{454C5A59-5054-4656-454C-5A5950544656} upkookuk-ced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{454C5A59-5054-4656-454C-5A5950544656}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" upkookuk-ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{454C5A59-5054-4656-454C-5A5950544656}\IsInstalled = "1" upkookuk-ced.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe upkookuk-ced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" upkookuk-ced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\afxoroax.exe" upkookuk-ced.exe -
Executes dropped EXE 2 IoCs
pid Process 2576 upkookuk-ced.exe 320 upkookuk-ced.exe -
Loads dropped DLL 3 IoCs
pid Process 1580 411a4a7d91a470f004c1d785320e9753_JaffaCakes118.exe 1580 411a4a7d91a470f004c1d785320e9753_JaffaCakes118.exe 2576 upkookuk-ced.exe -
resource yara_rule behavioral1/memory/1580-0-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/files/0x000700000001211a-12.dat upx behavioral1/memory/2576-13-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/1580-11-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/320-25-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/2576-59-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/320-60-0x0000000000400000-0x0000000000417000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" upkookuk-ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" upkookuk-ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" upkookuk-ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" upkookuk-ced.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\amfineac.dll" upkookuk-ced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" upkookuk-ced.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} upkookuk-ced.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify upkookuk-ced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" upkookuk-ced.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\winrnt.exe upkookuk-ced.exe File opened for modification C:\Windows\SysWOW64\gymspzd.dll upkookuk-ced.exe File created C:\Windows\SysWOW64\upkookuk-ced.exe 411a4a7d91a470f004c1d785320e9753_JaffaCakes118.exe File created C:\Windows\SysWOW64\afxoroax.exe upkookuk-ced.exe File created C:\Windows\SysWOW64\amfineac.dll upkookuk-ced.exe File opened for modification C:\Windows\SysWOW64\afxoroax.exe upkookuk-ced.exe File opened for modification C:\Windows\SysWOW64\ntdbg.exe upkookuk-ced.exe File opened for modification C:\Windows\SysWOW64\aset32.exe upkookuk-ced.exe File opened for modification C:\Windows\SysWOW64\ahuy.exe upkookuk-ced.exe File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL upkookuk-ced.exe File opened for modification C:\Windows\SysWOW64\upkookuk-ced.exe upkookuk-ced.exe File opened for modification C:\Windows\SysWOW64\upkookuk-ced.exe 411a4a7d91a470f004c1d785320e9753_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ulsepop.exe upkookuk-ced.exe File opened for modification C:\Windows\SysWOW64\amfineac.dll upkookuk-ced.exe File created C:\Windows\SysWOW64\ulsepop.exe upkookuk-ced.exe File opened for modification C:\Windows\SysWOW64\rmass.exe upkookuk-ced.exe File opened for modification C:\Windows\SysWOW64\idbg32.exe upkookuk-ced.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe upkookuk-ced.exe File opened for modification C:\Program Files (x86)\Common Files\System\ntdbg.exe upkookuk-ced.exe File opened for modification C:\Program Files (x86)\Common Files\System\RECOVER32.DLL upkookuk-ced.exe File opened for modification C:\Program Files (x86)\Common Files\System\gymspzd.dll upkookuk-ced.exe File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe upkookuk-ced.exe File opened for modification C:\Program Files (x86)\Common Files\System\rmass.exe upkookuk-ced.exe File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe upkookuk-ced.exe File opened for modification C:\Program Files (x86)\Common Files\System\ahuy.exe upkookuk-ced.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 320 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe 2576 upkookuk-ced.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1580 411a4a7d91a470f004c1d785320e9753_JaffaCakes118.exe Token: SeDebugPrivilege 2576 upkookuk-ced.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1580 wrote to memory of 2576 1580 411a4a7d91a470f004c1d785320e9753_JaffaCakes118.exe 30 PID 1580 wrote to memory of 2576 1580 411a4a7d91a470f004c1d785320e9753_JaffaCakes118.exe 30 PID 1580 wrote to memory of 2576 1580 411a4a7d91a470f004c1d785320e9753_JaffaCakes118.exe 30 PID 1580 wrote to memory of 2576 1580 411a4a7d91a470f004c1d785320e9753_JaffaCakes118.exe 30 PID 2576 wrote to memory of 432 2576 upkookuk-ced.exe 5 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 320 2576 upkookuk-ced.exe 31 PID 2576 wrote to memory of 320 2576 upkookuk-ced.exe 31 PID 2576 wrote to memory of 320 2576 upkookuk-ced.exe 31 PID 2576 wrote to memory of 320 2576 upkookuk-ced.exe 31 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21 PID 2576 wrote to memory of 1200 2576 upkookuk-ced.exe 21
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\411a4a7d91a470f004c1d785320e9753_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\411a4a7d91a470f004c1d785320e9753_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\upkookuk-ced.exe"C:\Windows\system32\upkookuk-ced.exe"3⤵
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\upkookuk-ced.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:320
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD5bb3c9cf8678ac0bb2d3ea0e2429e72bf
SHA19234232f8966c88e3397772eb71e539481d6574b
SHA25614eb3577f40166dacbe608c22949223c0e293f9f587b705ff857d245467a82fa
SHA512a4d08f53082861496ef73e642d0fba090c5eeac04cc1c94a59737d9797e07937a13d89f4043b908b7b16f1d17ff86f2a7e8f61e0ca6a5b659e24fb519f975933
-
Filesize
5KB
MD5c8521a5fdd1c9387d536f599d850b195
SHA1a543080665107b7e32bcc1ed19dbfbc1d2931356
SHA256fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5
SHA512541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd
-
Filesize
31KB
MD59cabf5f9fbdc9010abedbe95f8d96e28
SHA18350dc3fe198dbd1270f7ea2a7eff2923183235d
SHA256474b8292d17dea28f29494423707d6a305a6df9bbe615492297935ebc86dd67a
SHA51230d26f24edf83de8ecc299148e546dfe81e10c1fa594bd6d42f8549b12dc3a6b8147a1168f35005676a4fe4aabea67c56cfcc08be4a15195c2f03ae4b1e0c6d7
-
Filesize
29KB
MD5411a4a7d91a470f004c1d785320e9753
SHA175e39c62e04fa6a97ea54794b4d3f9c24cc61ebd
SHA2560b24337084608878194c71a3dbf40a06e457b61fad024dd2fb0bfb6ad571073c
SHA51200f44891cda68af23010349568fb2b59150626a352b9e6cd6a2ee02f78ff25a0afdc2aa18679ed44aa288e980cfd4fdba2e743a58157876094dcd03759875f7f