Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
16/07/2024, 01:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
15 signatures
150 seconds
General
-
Target
4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe
-
Size
379KB
-
MD5
4c4cd17bdb63a104dc280fc0fc59b094
-
SHA1
2de3371b4b698293ede15330bcff324df21b9a3d
-
SHA256
1848f280694dc28426a65fa65e66bea49ac6e4fc83f299acc3ae42d07bdae3d4
-
SHA512
80fb4dde68d652d581b76d0aa06d0d4f68c0b6cc8439386ce2e3ed1da47f3c2b437020d3fcd59ce2a4bd95e0cfa00a150040500dfddf5bc1b3142d1911d2d848
-
SSDEEP
6144:0l1OoQkb/M+91vSGf1FSdXzjrQv3BR7VSUMcA+9N5j83LyG7A7jLePas82/+tx:0pM+91H1FO8p1VStAB83YL8/+tx
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6A5B00014973000B804DB4EB2331.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6A5B00014973000B804DB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6A5B00014973000B804DB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6A5B00014973000B804DB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6A5B00014973000B804DB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6A5B00014973000B804DB4EB2331.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 2720 043A6A5B00014973000B804DB4EB2331.exe -
Executes dropped EXE 1 IoCs
pid Process 2720 043A6A5B00014973000B804DB4EB2331.exe -
Loads dropped DLL 1 IoCs
pid Process 2776 4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc 043A6A5B00014973000B804DB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6A5B00014973000B804DB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6A5B00014973000B804DB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6A5B00014973000B804DB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6A5B00014973000B804DB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6A5B00014973000B804DB4EB2331.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc 043A6A5B00014973000B804DB4EB2331.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6A5B00014973000B804DB4EB2331.exe -
Modifies registry class 22 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\043A6\shell\start\command 043A6A5B00014973000B804DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\043A6\shell\runas\command\ = "\"%1\" %*" 043A6A5B00014973000B804DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.exe 043A6A5B00014973000B804DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\043A6 043A6A5B00014973000B804DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\043A6\ = "Application" 043A6A5B00014973000B804DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\043A6\shell 043A6A5B00014973000B804DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\043A6\shell\start\command\IsolatedCommand = "\"%1\" %*" 043A6A5B00014973000B804DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\043A6\shell\runas\command 043A6A5B00014973000B804DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\043A6\shell\runas 043A6A5B00014973000B804DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\043A6\Content Type = "application/x-msdownload" 043A6A5B00014973000B804DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\043A6\shell\open\command 043A6A5B00014973000B804DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\043A6\shell\open\command\ = "\"C:\\ProgramData\\043A6A5B00014973000B804DB4EB2331\\043A6A5B00014973000B804DB4EB2331.exe\" -s \"%1\" %*" 043A6A5B00014973000B804DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\043A6\shell\start\command\ = "\"%1\" %*" 043A6A5B00014973000B804DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\043A6\shell\open\command\IsolatedCommand = "\"%1\" %*" 043A6A5B00014973000B804DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\043A6\shell\runas\command\IsolatedCommand = "\"%1\" %*" 043A6A5B00014973000B804DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.exe\ = "043A6" 043A6A5B00014973000B804DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\%s 043A6A5B00014973000B804DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\043A6\DefaultIcon\ = "%1" 043A6A5B00014973000B804DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\043A6\shell\open 043A6A5B00014973000B804DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\%s\ = "043A6" 043A6A5B00014973000B804DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\043A6\DefaultIcon 043A6A5B00014973000B804DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\043A6\shell\start 043A6A5B00014973000B804DB4EB2331.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2776 4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2720 043A6A5B00014973000B804DB4EB2331.exe 2720 043A6A5B00014973000B804DB4EB2331.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2776 wrote to memory of 2720 2776 4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe 30 PID 2776 wrote to memory of 2720 2776 4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe 30 PID 2776 wrote to memory of 2720 2776 4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe 30 PID 2776 wrote to memory of 2720 2776 4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe 30 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6A5B00014973000B804DB4EB2331.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\ProgramData\043A6A5B00014973000B804DB4EB2331\043A6A5B00014973000B804DB4EB2331.exe"C:\ProgramData\043A6A5B00014973000B804DB4EB2331\043A6A5B00014973000B804DB4EB2331.exe" -d "C:\Users\Admin\AppData\Local\Temp\4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe"2⤵
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
379KB
MD54c4cd17bdb63a104dc280fc0fc59b094
SHA12de3371b4b698293ede15330bcff324df21b9a3d
SHA2561848f280694dc28426a65fa65e66bea49ac6e4fc83f299acc3ae42d07bdae3d4
SHA51280fb4dde68d652d581b76d0aa06d0d4f68c0b6cc8439386ce2e3ed1da47f3c2b437020d3fcd59ce2a4bd95e0cfa00a150040500dfddf5bc1b3142d1911d2d848