Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 06:58
Static task
static1
Behavioral task
behavioral1
Sample
48b4afdf7858765829821b31438b8038_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
48b4afdf7858765829821b31438b8038_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
48b4afdf7858765829821b31438b8038_JaffaCakes118.exe
-
Size
290KB
-
MD5
48b4afdf7858765829821b31438b8038
-
SHA1
30b5e8d185ac21bb8d19dd43151f7dd257a9f3cc
-
SHA256
36927e7104d99ee422c43ba14d7c4d973961f902e0156659b997111189bb4bf7
-
SHA512
99c3c1e3c9b9eb22f968064faab86a78fec8dbee831a5b04fdc0d940951d618e3106db88ad118458cead1ad844faee6b75884a0c770e666f5632b850944e8461
-
SSDEEP
6144:FXdlvdqWLqOKp/B5RyaynzgvGq6JhW71Qgtm0DTgJvj:FXd/zL0/B5YzFHCtmH
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2708 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1620 dovu.exe -
Loads dropped DLL 2 IoCs
pid Process 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\{76E05B48-6E67-AD4F-AEBE-B031A9A3932C} = "C:\\Users\\Admin\\AppData\\Roaming\\Ykyxy\\dovu.exe" dovu.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1724 set thread context of 2708 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe 31 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Privacy 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe 1620 dovu.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSecurityPrivilege 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe Token: SeSecurityPrivilege 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe Token: SeSecurityPrivilege 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe 1620 dovu.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1724 wrote to memory of 1620 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe 30 PID 1724 wrote to memory of 1620 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe 30 PID 1724 wrote to memory of 1620 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe 30 PID 1724 wrote to memory of 1620 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe 30 PID 1620 wrote to memory of 1116 1620 dovu.exe 19 PID 1620 wrote to memory of 1116 1620 dovu.exe 19 PID 1620 wrote to memory of 1116 1620 dovu.exe 19 PID 1620 wrote to memory of 1116 1620 dovu.exe 19 PID 1620 wrote to memory of 1116 1620 dovu.exe 19 PID 1620 wrote to memory of 1200 1620 dovu.exe 20 PID 1620 wrote to memory of 1200 1620 dovu.exe 20 PID 1620 wrote to memory of 1200 1620 dovu.exe 20 PID 1620 wrote to memory of 1200 1620 dovu.exe 20 PID 1620 wrote to memory of 1200 1620 dovu.exe 20 PID 1620 wrote to memory of 1256 1620 dovu.exe 21 PID 1620 wrote to memory of 1256 1620 dovu.exe 21 PID 1620 wrote to memory of 1256 1620 dovu.exe 21 PID 1620 wrote to memory of 1256 1620 dovu.exe 21 PID 1620 wrote to memory of 1256 1620 dovu.exe 21 PID 1620 wrote to memory of 304 1620 dovu.exe 23 PID 1620 wrote to memory of 304 1620 dovu.exe 23 PID 1620 wrote to memory of 304 1620 dovu.exe 23 PID 1620 wrote to memory of 304 1620 dovu.exe 23 PID 1620 wrote to memory of 304 1620 dovu.exe 23 PID 1620 wrote to memory of 1724 1620 dovu.exe 29 PID 1620 wrote to memory of 1724 1620 dovu.exe 29 PID 1620 wrote to memory of 1724 1620 dovu.exe 29 PID 1620 wrote to memory of 1724 1620 dovu.exe 29 PID 1620 wrote to memory of 1724 1620 dovu.exe 29 PID 1724 wrote to memory of 2708 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe 31 PID 1724 wrote to memory of 2708 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe 31 PID 1724 wrote to memory of 2708 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe 31 PID 1724 wrote to memory of 2708 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe 31 PID 1724 wrote to memory of 2708 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe 31 PID 1724 wrote to memory of 2708 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe 31 PID 1724 wrote to memory of 2708 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe 31 PID 1724 wrote to memory of 2708 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe 31 PID 1724 wrote to memory of 2708 1724 48b4afdf7858765829821b31438b8038_JaffaCakes118.exe 31
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1200
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\48b4afdf7858765829821b31438b8038_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\48b4afdf7858765829821b31438b8038_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Roaming\Ykyxy\dovu.exe"C:\Users\Admin\AppData\Roaming\Ykyxy\dovu.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1620
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp56eb8b29.bat"3⤵
- Deletes itself
PID:2708
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD5d4fbc002967efdba5dcb3dc313db4336
SHA189da69cac9a45c8e0360eeaf66a60bc1e193fd64
SHA25615e887b2c0a47631716d2101e7772d174b19e4f150c2b1c32a405f1d38199550
SHA512663fe24188892cf55952810f8817f0ae3306aafd4602ea0b8349983a867e3cef6e2b3b2d018ccaee2b35dc4632d49bd56e840eaebaae176c8a4a60dcb9c872b9
-
Filesize
380B
MD59c4c4a0bbc23ec1428d7300246fb6b48
SHA1ca8f2cd3909c43ae19711fb7f42ce5791b419dba
SHA2564469a5aaef2f2dac35a090731ba36f6d8226f0a2b1f32a3565cb0821f8d50a02
SHA512238d2d04d500bb8110f21a56482724f66067b5fd46048fd474effcc2d08793f7324c981a82e7818e9be74476e9b7839e64fad84d2c99782eae8adf77003b7f48
-
Filesize
290KB
MD5cf88d217a0052de75018d5c1580dcc9b
SHA1c07ac8e377fbde07b92baf8f6b645301157033f9
SHA256de6bc2ee5c40cb1fcf463d251639b18e69c258deb5afc1a2a0d1b71f6464b8a9
SHA51236032a15796590d76694a036efba46ea3e0a86ae2cf8ffae967239b2a2a0be1eefa372dd1bb7d325fa45afd8cd2ab9c0fb18db5d452bde14e40adc0d6d00b76b