Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 14:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe
-
Size
308KB
-
MD5
4a076785e9786324bb852dd5bc27f10b
-
SHA1
c6be8931dc7cdbea53c324f76e7f950996b3f26d
-
SHA256
677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685
-
SHA512
30e543bebfc0a92fc4b8a946e1fb99abd2792951c91bd62911771e4db2a23eed4e598edb14fdc96abf7b6222b75320d98397b4923c808b98eed01212be0ed38f
-
SSDEEP
6144:J3fJkqmWbIu2Zj5BIqJRlBzJwAXBOGOM:JdbIuETZRvxBQ
Score
10/10
Malware Config
Signatures
-
Detects PlugX payload 21 IoCs
resource yara_rule behavioral1/memory/2112-4-0x00000000006F0000-0x000000000071E000-memory.dmp family_plugx behavioral1/memory/2112-3-0x00000000006F0000-0x000000000071E000-memory.dmp family_plugx behavioral1/memory/2112-1-0x0000000000500000-0x000000000052E000-memory.dmp family_plugx behavioral1/memory/2112-15-0x00000000006F0000-0x000000000071E000-memory.dmp family_plugx behavioral1/memory/2324-17-0x0000000000220000-0x000000000024E000-memory.dmp family_plugx behavioral1/memory/2324-31-0x0000000000220000-0x000000000024E000-memory.dmp family_plugx behavioral1/memory/2644-35-0x0000000000210000-0x000000000023E000-memory.dmp family_plugx behavioral1/memory/2324-32-0x0000000000220000-0x000000000024E000-memory.dmp family_plugx behavioral1/memory/2324-30-0x0000000000220000-0x000000000024E000-memory.dmp family_plugx behavioral1/memory/2324-28-0x0000000000220000-0x000000000024E000-memory.dmp family_plugx behavioral1/memory/2644-16-0x0000000000210000-0x000000000023E000-memory.dmp family_plugx behavioral1/memory/2112-14-0x0000000000500000-0x000000000052E000-memory.dmp family_plugx behavioral1/memory/2324-13-0x0000000000220000-0x000000000024E000-memory.dmp family_plugx behavioral1/memory/2324-37-0x0000000000220000-0x000000000024E000-memory.dmp family_plugx behavioral1/memory/2324-43-0x0000000000220000-0x000000000024E000-memory.dmp family_plugx behavioral1/memory/3000-53-0x0000000000320000-0x000000000034E000-memory.dmp family_plugx behavioral1/memory/3000-57-0x0000000000320000-0x000000000034E000-memory.dmp family_plugx behavioral1/memory/3000-56-0x0000000000320000-0x000000000034E000-memory.dmp family_plugx behavioral1/memory/2324-58-0x0000000000220000-0x000000000024E000-memory.dmp family_plugx behavioral1/memory/2324-80-0x0000000000220000-0x000000000024E000-memory.dmp family_plugx behavioral1/memory/3000-86-0x0000000000320000-0x000000000034E000-memory.dmp family_plugx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WokKStation services = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe\"" 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\WokKStation services = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe\"" 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\MJ svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 45003100440035003300320032003800320031003200380046004300390044000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2324 svchost.exe 2324 svchost.exe 2324 svchost.exe 2324 svchost.exe 2324 svchost.exe 2324 svchost.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 2324 svchost.exe 2324 svchost.exe 3000 msiexec.exe 3000 msiexec.exe 2324 svchost.exe 2324 svchost.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 2324 svchost.exe 2324 svchost.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 2324 svchost.exe 2324 svchost.exe 3000 msiexec.exe 3000 msiexec.exe 2324 svchost.exe 2324 svchost.exe 2324 svchost.exe 2324 svchost.exe 2324 svchost.exe 2324 svchost.exe 2324 svchost.exe 2324 svchost.exe 2324 svchost.exe 2324 svchost.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe 3000 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2324 svchost.exe 3000 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe Token: SeTcbPrivilege 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe Token: SeDebugPrivilege 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe Token: SeTcbPrivilege 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe Token: SeDebugPrivilege 2324 svchost.exe Token: SeTcbPrivilege 2324 svchost.exe Token: SeDebugPrivilege 2644 svchost.exe Token: SeTcbPrivilege 2644 svchost.exe Token: SeDebugPrivilege 3000 msiexec.exe Token: SeTcbPrivilege 3000 msiexec.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2324 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe 30 PID 2112 wrote to memory of 2324 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe 30 PID 2112 wrote to memory of 2324 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe 30 PID 2112 wrote to memory of 2324 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe 30 PID 2112 wrote to memory of 2324 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe 30 PID 2112 wrote to memory of 2324 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe 30 PID 2112 wrote to memory of 2324 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe 30 PID 2112 wrote to memory of 2324 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe 30 PID 2112 wrote to memory of 2324 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe 30 PID 2112 wrote to memory of 2644 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe 31 PID 2112 wrote to memory of 2644 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe 31 PID 2112 wrote to memory of 2644 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe 31 PID 2112 wrote to memory of 2644 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe 31 PID 2112 wrote to memory of 2644 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe 31 PID 2112 wrote to memory of 2644 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe 31 PID 2112 wrote to memory of 2644 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe 31 PID 2112 wrote to memory of 2644 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe 31 PID 2112 wrote to memory of 2644 2112 4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe 31 PID 2324 wrote to memory of 3000 2324 svchost.exe 33 PID 2324 wrote to memory of 3000 2324 svchost.exe 33 PID 2324 wrote to memory of 3000 2324 svchost.exe 33 PID 2324 wrote to memory of 3000 2324 svchost.exe 33 PID 2324 wrote to memory of 3000 2324 svchost.exe 33 PID 2324 wrote to memory of 3000 2324 svchost.exe 33 PID 2324 wrote to memory of 3000 2324 svchost.exe 33 PID 2324 wrote to memory of 3000 2324 svchost.exe 33 PID 2324 wrote to memory of 3000 2324 svchost.exe 33 PID 2324 wrote to memory of 3000 2324 svchost.exe 33 PID 2324 wrote to memory of 3000 2324 svchost.exe 33 PID 2324 wrote to memory of 3000 2324 svchost.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a076785e9786324bb852dd5bc27f10b_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
904B
MD54331f17411c0df50e27f3730b082b26d
SHA18f4cfb8b0f1a25f6fbedddb2d59d95df9e3983c6
SHA25623c94b29d94a1da3bbb5461f7313924d2d28f32e41a34d8fa227c6edd485c559
SHA5122977709d3e936cf171bafd936bb3e88fa47b54af1e15cd211a7382d2bcc664cd823e2e767f9154ff3ecc0c2dbef59c31625e07ec2bde0d5624745aa179f125ca
-
Filesize
5KB
MD5c70c48aa37240034bcfa501461ee56fe
SHA11ba547f33bf81454994d19656600d69054ad2dd4
SHA25626568e408e9e1a9d73d38a5924a5827480d0cf8d4727c6630520a2de311dd173
SHA512fbde725b81ac8fac4ff4a9774d0c15562a3acacb234668f660d69940b146f8d4fbb3427ae937234c36d371c1b32118c9da34c401a8cd52bc2117b09ad004c776