Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 06:11
Static task
static1
Behavioral task
behavioral1
Sample
488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe
-
Size
4.4MB
-
MD5
488e22d7fefe8ac231d2da624ad96498
-
SHA1
c3ae5927011b05ffab8f621b39ef82402754181d
-
SHA256
d32b094a2764078bf688d43a4fb94d237c2df90c5dd522ea74c95e19adc46e4f
-
SHA512
12feed704854f45bd036236f058caa50bec6bed4f2f822bd6d0f59ebf76c9b24d4af78406159a800828155993cf02201d65b1168d4958ee59966e4731aadcc1d
-
SSDEEP
98304:2DrVIXQGHHmg/HoHoxCQ8b/ahNlkQuyPgIhgp0wTA:OIXnjvoHo8QkahNSQucxupzk
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2728 _692F.tmpac7d.exe 3012 securitymanager.exe 2584 Security_Monitor2012.exe 1632 123.exe -
Loads dropped DLL 20 IoCs
pid Process 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 1060 rundll32.exe 1060 rundll32.exe 1060 rundll32.exe 1060 rundll32.exe 1600 rundll32.exe 1600 rundll32.exe 1600 rundll32.exe 1600 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Security Monitor 2012 = "C:\\Users\\Admin\\AppData\\Roaming\\Security Monitor 12\\securitymanager.exe" securitymanager.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\n4g4kowrc7f0 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe" 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Security Monitor 12 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Security Monitor 12\\Security_Monitor2012.exe\" /STARTUP" 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Security Monitor 2012 = "C:\\Users\\Admin\\AppData\\Roaming\\Security Monitor 12\\securitymanager.exe" 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\eapMobile90 = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\ieEventVdm\\eapMobile90.dll\",isaapiplugin nsCommonlib" rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\ntdll.dll.log securitymanager.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 1 IoCs
resource yara_rule behavioral1/files/0x000a000000015cde-44.dat nsis_installer_2 -
Modifies registry class 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\CLSID\{AEBCE60C-B5F0-74DA-1CFD-6427F0B5DA74}\Categories\{A4140239-15C4-B0C9-C558-B7E1CC10F550} = "1721023907" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\CLSID\{AEBCE60C-B5F0-74DA-1CFD-6427F0B5DA74}\Categories\{6C6417EB-155A-E5E0-8746-3034C2850CB9} = "478062" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\CLSID\{AEBCE60C-B5F0-74DA-1CFD-6427F0B5DA74}\Categories rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\CLSID rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\CLSID\{AEBCE60C-B5F0-74DA-1CFD-6427F0B5DA74} rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\CLSID\{AEBCE60C-B5F0-74DA-1CFD-6427F0B5DA74}\Categories\{B41070F6-45CE-7F9C-56A1-559FCE459C7F} = "vOm8MqXES23Yhy4g2OZE2d" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\CLSID\{AEBCE60C-B5F0-74DA-1CFD-6427F0B5DA74}\Categories rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe Token: SeDebugPrivilege 2584 Security_Monitor2012.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3012 securitymanager.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3012 securitymanager.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe 2584 Security_Monitor2012.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2780 wrote to memory of 2728 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 30 PID 2780 wrote to memory of 2728 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 30 PID 2780 wrote to memory of 2728 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 30 PID 2780 wrote to memory of 2728 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 30 PID 2780 wrote to memory of 3012 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 32 PID 2780 wrote to memory of 3012 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 32 PID 2780 wrote to memory of 3012 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 32 PID 2780 wrote to memory of 3012 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 32 PID 2780 wrote to memory of 1632 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 33 PID 2780 wrote to memory of 1632 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 33 PID 2780 wrote to memory of 1632 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 33 PID 2780 wrote to memory of 1632 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 33 PID 2780 wrote to memory of 2584 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 34 PID 2780 wrote to memory of 2584 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 34 PID 2780 wrote to memory of 2584 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 34 PID 2780 wrote to memory of 2584 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 34 PID 2780 wrote to memory of 600 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 35 PID 2780 wrote to memory of 600 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 35 PID 2780 wrote to memory of 600 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 35 PID 2780 wrote to memory of 600 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 35 PID 1632 wrote to memory of 1060 1632 123.exe 37 PID 1632 wrote to memory of 1060 1632 123.exe 37 PID 1632 wrote to memory of 1060 1632 123.exe 37 PID 1632 wrote to memory of 1060 1632 123.exe 37 PID 1632 wrote to memory of 1060 1632 123.exe 37 PID 1632 wrote to memory of 1060 1632 123.exe 37 PID 1632 wrote to memory of 1060 1632 123.exe 37 PID 2780 wrote to memory of 664 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 38 PID 2780 wrote to memory of 664 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 38 PID 2780 wrote to memory of 664 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 38 PID 2780 wrote to memory of 664 2780 488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe 38 PID 1060 wrote to memory of 1600 1060 rundll32.exe 42 PID 1060 wrote to memory of 1600 1060 rundll32.exe 42 PID 1060 wrote to memory of 1600 1060 rundll32.exe 42 PID 1060 wrote to memory of 1600 1060 rundll32.exe 42 PID 1060 wrote to memory of 1600 1060 rundll32.exe 42 PID 1060 wrote to memory of 1600 1060 rundll32.exe 42 PID 1060 wrote to memory of 1600 1060 rundll32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\488e22d7fefe8ac231d2da624ad96498_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\_692F.tmpac7d.exe"C:\Users\Admin\AppData\Local\Temp\_692F.tmpac7d.exe" -p"09:03 PM" -y -o"C:\Users\Admin\AppData\Roaming\Security Monitor 12"2⤵
- Executes dropped EXE
PID:2728
-
-
C:\Users\Admin\AppData\Roaming\Security Monitor 12\securitymanager.exe"C:\Users\Admin\AppData\Roaming\Security Monitor 12\securitymanager.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3012
-
-
C:\Users\Admin\AppData\Roaming\Security Monitor 12\123.exe"C:\Users\Admin\AppData\Roaming\Security Monitor 12\123.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\DRMCommoncdrom.dll", isaapiplugin UtilGLspl3⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\ieEventVdm\eapMobile90.dll",isaapiplugin nsCommonlib4⤵
- Loads dropped DLL
- Modifies registry class
PID:1600
-
-
-
-
C:\Users\Admin\AppData\Roaming\Security Monitor 12\Security_Monitor2012.exe"C:\Users\Admin\AppData\Roaming\Security Monitor 12\Security_Monitor2012.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2584
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C dir "C:\Users\Admin\AppData\Roaming"2⤵PID:600
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C dir "C:\Users\Admin\AppData\Roaming\Security Monitor 12"2⤵PID:664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD545f906b15c0a53a1688e792fa9f05d5e
SHA1e3651d7c78869bdd686adab9277b479fa275f72b
SHA25655cf03c9d94c6c4ca06f994ff63ced67cce69656ca6805632ab213d4e508ba9c
SHA512d93b751be6c92f69efb363079e259fe10691545ad4b02ac39028bfc185bf698b17aef98722980b1bc5de0f45d8172b242bb5729bcc65217d559cb7c1c8452169
-
Filesize
128KB
MD5affff428b96e72947df0b159b042489c
SHA13c2648d0b9b235268acd37577a3a347e56774f7e
SHA25660aee595074d9e8ddf8e27e6bd5aca6990d3591edac4f5c9eac31de4ea7a3778
SHA51223d8b474176eaa5b2b865ea408f2054df354417ff47f4d9ef2bfbb9d5700035b141f7de997adbdd48d76e3b88ba34eb45b952601b8f7fc22e960f87e6f84f8b3
-
Filesize
2.8MB
MD56dcaabfdc99c0b22ee13614a22e59a42
SHA19d9d3cf2bf3cbd471a76beb6cd57499a3f727460
SHA2561152efbb8547564f5580a870d0b60efaa5898f9264de0c400544f8b354d34c44
SHA512acc738dc83e2f51c9dac458d896d0c581881ac1528dc47773abbc95c344acef1fc83251edfcd093e62c442d104cad72b8b5adadc85cc032f0e6a0fe088350d2a
-
Filesize
645KB
MD51e0af74d8e1d00bfeb97faf4cc9d3b82
SHA14b9b185c71aee14a7b1ca873780028ad8609a0bd
SHA256acbbd26008134ea347438dd270fc36c152585839d10fe5988ae1df0f62e7ac32
SHA512efb2375ff173000a7ea1cb03c6922b4b085c4c84ccccfffb3dc6f07c0c3d398d3992a80266f1297df9046e519fbdf915aebb4e4fec4e607586d3dc62d4105df3
-
Filesize
156KB
MD53454b7805cb0971ceab4e9c3c6c7c523
SHA1110048071b101fdc9460381d5ab8a7213813f283
SHA2567defbf9dfc04bd9f60566cd5a83f14118e7259cd3cc907d9eff0378d80ef8e72
SHA5120a69a092e8e2eedcd52fa633354b1069c3e37d82c54c2d82ccc3f4ca7053d20b0ab61afe877d960f4e88a765c5f0fdb612ad4ea2b0806ad995fdbb6116bea1e0