Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 21:23
Static task
static1
Behavioral task
behavioral1
Sample
4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe
-
Size
67KB
-
MD5
4b7607ecb8b4a2f2e3d7ec627d57fe34
-
SHA1
a9d53183b7b49a1498167520fffd2f03d6069297
-
SHA256
2db072302cacc997688089470a4365a699e495fe98839b8ae9d983365f5c4788
-
SHA512
a9ebdabe808d370ad62fc749a51baba06e9bdf7b188a098b7c1635e7e670cbb21b6f4b00075033f784a0541b3024570da382c3aa8e4cfc9319947c1adc5dae73
-
SSDEEP
1536:iSA2yu7v/exwZne5PTdZserDMmVjIyk3:YOb/ne5PvNAmVXk3
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\w7services.exe" 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 396 w7services.exe 2292 w7services.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\w7services.exe" 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2488 set thread context of 2476 2488 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe 28 PID 396 set thread context of 2292 396 w7services.exe 30 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\w7services.exe 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe File opened for modification C:\Windows\w7services.exe 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe File created C:\Windows\log32.txt w7services.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2476 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe 2476 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2476 2488 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe 28 PID 2488 wrote to memory of 2476 2488 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe 28 PID 2488 wrote to memory of 2476 2488 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe 28 PID 2488 wrote to memory of 2476 2488 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe 28 PID 2488 wrote to memory of 2476 2488 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe 28 PID 2488 wrote to memory of 2476 2488 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe 28 PID 2488 wrote to memory of 2476 2488 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe 28 PID 2488 wrote to memory of 2476 2488 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe 28 PID 2488 wrote to memory of 2476 2488 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe 28 PID 2476 wrote to memory of 396 2476 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe 29 PID 2476 wrote to memory of 396 2476 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe 29 PID 2476 wrote to memory of 396 2476 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe 29 PID 2476 wrote to memory of 396 2476 4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe 29 PID 396 wrote to memory of 2292 396 w7services.exe 30 PID 396 wrote to memory of 2292 396 w7services.exe 30 PID 396 wrote to memory of 2292 396 w7services.exe 30 PID 396 wrote to memory of 2292 396 w7services.exe 30 PID 396 wrote to memory of 2292 396 w7services.exe 30 PID 396 wrote to memory of 2292 396 w7services.exe 30 PID 396 wrote to memory of 2292 396 w7services.exe 30 PID 396 wrote to memory of 2292 396 w7services.exe 30 PID 396 wrote to memory of 2292 396 w7services.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4b7607ecb8b4a2f2e3d7ec627d57fe34_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\w7services.exe"C:\Windows\w7services.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\w7services.exe"C:\Windows\w7services.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2292
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD54b7607ecb8b4a2f2e3d7ec627d57fe34
SHA1a9d53183b7b49a1498167520fffd2f03d6069297
SHA2562db072302cacc997688089470a4365a699e495fe98839b8ae9d983365f5c4788
SHA512a9ebdabe808d370ad62fc749a51baba06e9bdf7b188a098b7c1635e7e670cbb21b6f4b00075033f784a0541b3024570da382c3aa8e4cfc9319947c1adc5dae73