Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14/07/2024, 23:45
Behavioral task
behavioral1
Sample
474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe
-
Size
296KB
-
MD5
474d4d3b2ec4cb908c44ad17aff85805
-
SHA1
c036059376f20d5c243d9ca5fac5b99169eff001
-
SHA256
67ccfb0369e7d8bb85a4bdeb1d89a1ef45061312ccc57edc81739edfe8a296c7
-
SHA512
5be257d14608edb6540c931a175c0fff0aa2bca6c94a726914f585206912e5e2da406fb273b6065742edefc9b17467de2b0807913f3746fac3d6aef04b5d7bf1
-
SSDEEP
6144:A5GL86QqsaUFRzfeFJROZPUODVGvV8s76RYwRfPgFAtdDAf+O2:nLkqsaUFxfe63UN0RfUudsfy
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1936 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1284 vaquz.exe -
Loads dropped DLL 2 IoCs
pid Process 2476 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe 2476 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2476-0-0x0000000000400000-0x0000000000813000-memory.dmp upx behavioral1/files/0x000a000000016d90-8.dat upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{75DA6328-6F30-AD4F-96DD-2BAD86C808B0} = "C:\\Users\\Admin\\AppData\\Roaming\\Emweus\\vaquz.exe" vaquz.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2476 set thread context of 1936 2476 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe 32 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe 1284 vaquz.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSecurityPrivilege 2476 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe Token: SeSecurityPrivilege 2476 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe Token: SeSecurityPrivilege 2476 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2476 wrote to memory of 1284 2476 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe 31 PID 2476 wrote to memory of 1284 2476 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe 31 PID 2476 wrote to memory of 1284 2476 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe 31 PID 2476 wrote to memory of 1284 2476 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe 31 PID 1284 wrote to memory of 1188 1284 vaquz.exe 19 PID 1284 wrote to memory of 1188 1284 vaquz.exe 19 PID 1284 wrote to memory of 1188 1284 vaquz.exe 19 PID 1284 wrote to memory of 1188 1284 vaquz.exe 19 PID 1284 wrote to memory of 1188 1284 vaquz.exe 19 PID 1284 wrote to memory of 1300 1284 vaquz.exe 20 PID 1284 wrote to memory of 1300 1284 vaquz.exe 20 PID 1284 wrote to memory of 1300 1284 vaquz.exe 20 PID 1284 wrote to memory of 1300 1284 vaquz.exe 20 PID 1284 wrote to memory of 1300 1284 vaquz.exe 20 PID 1284 wrote to memory of 1360 1284 vaquz.exe 21 PID 1284 wrote to memory of 1360 1284 vaquz.exe 21 PID 1284 wrote to memory of 1360 1284 vaquz.exe 21 PID 1284 wrote to memory of 1360 1284 vaquz.exe 21 PID 1284 wrote to memory of 1360 1284 vaquz.exe 21 PID 1284 wrote to memory of 1160 1284 vaquz.exe 25 PID 1284 wrote to memory of 1160 1284 vaquz.exe 25 PID 1284 wrote to memory of 1160 1284 vaquz.exe 25 PID 1284 wrote to memory of 1160 1284 vaquz.exe 25 PID 1284 wrote to memory of 1160 1284 vaquz.exe 25 PID 1284 wrote to memory of 2476 1284 vaquz.exe 30 PID 1284 wrote to memory of 2476 1284 vaquz.exe 30 PID 1284 wrote to memory of 2476 1284 vaquz.exe 30 PID 1284 wrote to memory of 2476 1284 vaquz.exe 30 PID 1284 wrote to memory of 2476 1284 vaquz.exe 30 PID 2476 wrote to memory of 1936 2476 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe 32 PID 2476 wrote to memory of 1936 2476 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe 32 PID 2476 wrote to memory of 1936 2476 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe 32 PID 2476 wrote to memory of 1936 2476 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe 32 PID 2476 wrote to memory of 1936 2476 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe 32 PID 2476 wrote to memory of 1936 2476 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe 32 PID 2476 wrote to memory of 1936 2476 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe 32 PID 2476 wrote to memory of 1936 2476 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe 32 PID 2476 wrote to memory of 1936 2476 474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe 32
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1188
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1300
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Roaming\Emweus\vaquz.exe"C:\Users\Admin\AppData\Roaming\Emweus\vaquz.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1284
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb0d87fde.bat"3⤵
- Deletes itself
PID:1936
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD5717cf601886345d962698de9e2c65a49
SHA1af3853614d12b9c273f0ea7bc3d1a7e00ded493d
SHA2560c2862b67d8ce5672d0190980c29197575d389d0a04bb96b0b980c5988130e7d
SHA512f42fe370b1a1549746854768b661e0fd726e5746754bdc7e7a1c71b98e59ea49c3297b40ff775b4d916b4129bf24b07923f0dbdcd9c8b72856bb080fa308cb23
-
Filesize
380B
MD514126ed67657b4ab292c084d755c2d22
SHA160cabfe9d948b1fd1d27ebc2cd4524bcb897314d
SHA256c33060bcba2a000c51f9be22966e956c5fa69432c80a3fc7437e3fdea9a3f02c
SHA512e2042dfd3d6e5da5e75d84b889009fb3baa0f353b45a28f3fba748255f7f9fdc158b3692c63b0b1f580f13a53b2acdd78b21528cb73c6ddf6d69634f5018884d
-
Filesize
296KB
MD5b356d55e61702bcd872e0806377ea396
SHA13397b81e1a94a204c13e96d95c5ebafe769a97b5
SHA256302f51407f4198bc89917f98f5b1bba3f055b950f839043d6b19de4b88922234
SHA5129e4adcc71a1c2aab37700dbef7310763f4286753ffb8ff60bbb044dbeee5e5828b53679a87112de9116a431413e8e1480d29c71d3b4454577d95c781dc70e916