Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/07/2024, 09:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4553748f300676873e21f4f5b1de46e0_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
4553748f300676873e21f4f5b1de46e0_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
4553748f300676873e21f4f5b1de46e0_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
4553748f300676873e21f4f5b1de46e0
-
SHA1
d073da1d10a9625ec3c5f2f8b546add37cf15af1
-
SHA256
9db4e53122eed4bba862ad50550232aff82e8d5de4706da219c4f7404191907a
-
SHA512
d98354f02e806ada99016aa0bc8ad8b8dc8ed39346e5c3b4ffd9dc2dfc97407db93fd4da2b4d9a525ac02a52c8b2df2a142a83d3fa5b59742c8b5271bd2b2101
-
SSDEEP
24576:pcs3MKLBDY7Ryy0fNRqTb+UO8lZN899ysIOmQuKa/57HaLtVDpEYfMoR:P1LBUPoj6tv49yL2Pa9SV7p
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2300 msiinst.exe 2720 MsiExec.exe 2564 MsiExec.exe 2572 MsiExec.exe -
Loads dropped DLL 15 IoCs
pid Process 2604 4553748f300676873e21f4f5b1de46e0_JaffaCakes118.exe 2604 4553748f300676873e21f4f5b1de46e0_JaffaCakes118.exe 2300 msiinst.exe 2300 msiinst.exe 2300 msiinst.exe 2300 msiinst.exe 2300 msiinst.exe 2720 MsiExec.exe 2720 MsiExec.exe 2300 msiinst.exe 2300 msiinst.exe 2564 MsiExec.exe 2564 MsiExec.exe 2572 MsiExec.exe 2572 MsiExec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4553748f300676873e21f4f5b1de46e0_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: MsiExec.exe File opened (read-only) \??\H: MsiExec.exe File opened (read-only) \??\K: MsiExec.exe File opened (read-only) \??\N: MsiExec.exe File opened (read-only) \??\R: MsiExec.exe File opened (read-only) \??\S: MsiExec.exe File opened (read-only) \??\V: MsiExec.exe File opened (read-only) \??\G: MsiExec.exe File opened (read-only) \??\I: MsiExec.exe File opened (read-only) \??\J: MsiExec.exe File opened (read-only) \??\M: MsiExec.exe File opened (read-only) \??\P: MsiExec.exe File opened (read-only) \??\U: MsiExec.exe File opened (read-only) \??\X: MsiExec.exe File opened (read-only) \??\E: MsiExec.exe File opened (read-only) \??\Q: MsiExec.exe File opened (read-only) \??\Z: MsiExec.exe File opened (read-only) \??\B: MsiExec.exe File opened (read-only) \??\L: MsiExec.exe File opened (read-only) \??\O: MsiExec.exe File opened (read-only) \??\T: MsiExec.exe File opened (read-only) \??\W: MsiExec.exe File opened (read-only) \??\Y: MsiExec.exe -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msls31.dll MsiExec.exe File opened for modification C:\Windows\SysWOW64\mspatcha.dll MsiExec.exe File opened for modification C:\Windows\SysWOW64\usp10.dll MsiExec.exe File opened for modification C:\Windows\SysWOW64\shfolder.dll MsiExec.exe File opened for modification C:\Windows\SysWOW64\msihnd.dll MsiExec.exe File opened for modification C:\Windows\SysWOW64\msi.dll MsiExec.exe File opened for modification C:\Windows\SysWOW64\cabinet.dll MsiExec.exe File opened for modification C:\Windows\SysWOW64\riched20.dll MsiExec.exe File opened for modification C:\Windows\SysWOW64\Imagehlp.dll MsiExec.exe File opened for modification C:\Windows\SysWOW64\msimsg.dll MsiExec.exe File opened for modification C:\Windows\SysWOW64\msiexec.exe MsiExec.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IMsiServer\CLSID MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\APPID MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Patch\ = "Windows Installer Patch" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\.msi MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\Msi.Package\shell\Repair MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Patch MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.msp MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\Msi.Package\shell\Repair\command MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\Msi.Package\shell\Uninstall MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\.msp MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C101D-0000-0000-C000-000000000046}\ = "IMsiMessage" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.msi MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\Msi.Package\shell\Open MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shell\Uninstall\command\ = "\"C:\\Windows\\system32\\msiexec.exe\" /x \"%1\" %*" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shell\Uninstall\ = "&Uninstall" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C1033-0000-0000-C000-000000000046}\NumMethods MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.msp\ = "Msi.Patch" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.msi\ = "Msi.Package" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Patch\shell\Open\ = "&Apply Patch" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C1090-0000-0000-C000-000000000046}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.msi\ = "Msi.Package" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\MsiExec.exe,0" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\Msi.Package\shell\Open\command MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C1025-0000-0000-C000-000000000046}\ProxyStubClsid32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C101C-0000-0000-C000-000000000046} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C1090-0000-0000-C000-000000000046}\ProgId MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C1094-0000-0000-C000-000000000046}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Patch\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\MsiExec.exe,0" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.msp\ = "Msi.Patch" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\Msi.Patch\shell\Open\command MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.MSI MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IMsiServer MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C101C-0000-0000-C000-000000000046}\ProxyStubClsid32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WindowsInstaller.Message MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C101D-0000-0000-C000-000000000046} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\DefaultIcon MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C1025-0000-0000-C000-000000000046} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Patch MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\Msi.Package\shell MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.msp MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C101D-0000-0000-C000-000000000046}\NumMethods MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C1094-0000-0000-C000-000000000046} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WindowsInstaller.Message\CLSID MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shell\Repair\ = "Re&pair" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Patch\shell\Open\command\ = "\"C:\\Windows\\system32\\msiexec.exe\" /p \"%1\" %*" MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSI.PATCH\DEFAULTICON MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C101C-0000-0000-C000-000000000046} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C1025-0000-0000-C000-000000000046}\NumMethods MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C1090-0000-0000-C000-000000000046}\InprocHandler32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WindowsInstaller.Installer MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shell\Open\command\ = "\"C:\\Windows\\system32\\msiexec.exe\" /i \"%1\" %*" MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSI.PACKAGE\DEFAULTICON MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\APPID\{000C101C-0000-0000-C000-000000000046} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C1033-0000-0000-C000-000000000046} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C1090-0000-0000-C000-000000000046}\TypeLib MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\ = "Windows Installer Package" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shell\Repair\command\ = "\"C:\\Windows\\system32\\msiexec.exe\" /f \"%1\" %*" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\Msi.Package\shell\Uninstall\command MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C101D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{000C103E-0000-0000-C000-000000000046}" MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeShutdownPrivilege 2564 MsiExec.exe Token: SeIncreaseQuotaPrivilege 2564 MsiExec.exe Token: SeSecurityPrivilege 2564 MsiExec.exe Token: SeTakeOwnershipPrivilege 2564 MsiExec.exe Token: SeRestorePrivilege 2564 MsiExec.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2604 wrote to memory of 2300 2604 4553748f300676873e21f4f5b1de46e0_JaffaCakes118.exe 30 PID 2604 wrote to memory of 2300 2604 4553748f300676873e21f4f5b1de46e0_JaffaCakes118.exe 30 PID 2604 wrote to memory of 2300 2604 4553748f300676873e21f4f5b1de46e0_JaffaCakes118.exe 30 PID 2604 wrote to memory of 2300 2604 4553748f300676873e21f4f5b1de46e0_JaffaCakes118.exe 30 PID 2604 wrote to memory of 2300 2604 4553748f300676873e21f4f5b1de46e0_JaffaCakes118.exe 30 PID 2604 wrote to memory of 2300 2604 4553748f300676873e21f4f5b1de46e0_JaffaCakes118.exe 30 PID 2604 wrote to memory of 2300 2604 4553748f300676873e21f4f5b1de46e0_JaffaCakes118.exe 30 PID 2300 wrote to memory of 2720 2300 msiinst.exe 31 PID 2300 wrote to memory of 2720 2300 msiinst.exe 31 PID 2300 wrote to memory of 2720 2300 msiinst.exe 31 PID 2300 wrote to memory of 2720 2300 msiinst.exe 31 PID 2300 wrote to memory of 2720 2300 msiinst.exe 31 PID 2300 wrote to memory of 2720 2300 msiinst.exe 31 PID 2300 wrote to memory of 2720 2300 msiinst.exe 31 PID 2300 wrote to memory of 2564 2300 msiinst.exe 32 PID 2300 wrote to memory of 2564 2300 msiinst.exe 32 PID 2300 wrote to memory of 2564 2300 msiinst.exe 32 PID 2300 wrote to memory of 2564 2300 msiinst.exe 32 PID 2300 wrote to memory of 2564 2300 msiinst.exe 32 PID 2300 wrote to memory of 2564 2300 msiinst.exe 32 PID 2300 wrote to memory of 2564 2300 msiinst.exe 32 PID 2564 wrote to memory of 1984 2564 MsiExec.exe 35 PID 2564 wrote to memory of 1984 2564 MsiExec.exe 35 PID 2564 wrote to memory of 1984 2564 MsiExec.exe 35 PID 2564 wrote to memory of 1984 2564 MsiExec.exe 35 PID 2564 wrote to memory of 1984 2564 MsiExec.exe 35 PID 2564 wrote to memory of 1984 2564 MsiExec.exe 35 PID 2564 wrote to memory of 1984 2564 MsiExec.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\4553748f300676873e21f4f5b1de46e0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4553748f300676873e21f4f5b1de46e0_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msiinst.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msiinst.exe /i instmsi.msi /qb+2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MsiExec.exeMsiExec.exe /regserver3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2720
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MsiExec.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msiinst.exe /i instmsi.msi /qb+3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /regserverCA4⤵PID:1984
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MsiExec.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MsiExec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD51fff0ad0e5cbb7f910911b455d651eae
SHA1b657448eb7c2646d124c8c3d5f6a4c4bf36daa54
SHA2569aea91635605c1ed8f57d01030c4b173d7c894d742ac9c5c6784a8e3458f1105
SHA51269d09f8718663f38517e56768e284f8763ce2eb9fc3ce6e91250b209b7d64afa328f0a647891772c11e7bdec82cf679e55a04331cd339ab40b5cc4c89af194bc
-
Filesize
679KB
MD5528846710b84cf29b3fbae8b5a12e028
SHA1417e88f96cdb9effefb5ec8be020c36367674e40
SHA256706cc97d4aca7dee485d8de6d5f5e286a513bf11bca11fbf321430de760c7801
SHA5128174b1413b4db9e9347e114d1402aa34a80fcc616cc5c68273f2a36b4b4da21745d4956bf9808bd9516bd0489b8defabcfe0da1f3a82f651d7db495636660353
-
Filesize
680KB
MD5637320b4d6a81f21edb5f45abd1d02fa
SHA1ea0b4081bcccbf797c32172fafa5bd732b61acec
SHA25634e6013cd82abd7f5fc1879c3f27b10899bdf3833bf93cbb81d3eb72c3c62be3
SHA512662dff4d02ce4feac27cd378728428943a5b7fad30b71a2ffd9f38517b835c05bf48fc4bc59a24ce86a657b2eaf5ce00939ede1e2badbf39c3bb20d4d0d7df39
-
Filesize
46KB
MD54dd11f4fd21897f4629cb6e68b8d8b5b
SHA160df48206ad37cfacdd91d88d5614a78d7d843d6
SHA256b896a92bfd15a51e3c44e5a9131af437605376357abe44e28d101d35779b58d0
SHA512bfab354421b494fb0ccc3369e25b335d92c74973fd2393df1a1b8e56c547c88e6abf8364e559ff7ca998a13adddf5114638333d3cd0108cf12cee54702dc8d2f
-
Filesize
6KB
MD57499489b7d11eee16eff127a764a8f28
SHA1341d4e290537932cdeb2f3321f99d18a778220d0
SHA2564bae6fb6d6d4907d259959315f35e74c183f594e6f8145353377eb55162fb004
SHA512e8fdfc6abdc5e6bc26d467eafa71060cb06e4320b79e9ba8f8328c78aa58f5f42389d729b1e5d95454d67958f51d7361aac261e48498a2aeb1f31cb0e6a0caec