Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/07/2024, 07:51
Behavioral task
behavioral1
Sample
5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe
-
Size
194KB
-
MD5
5b0cbce55e2774adf8eef9d00ed6b902
-
SHA1
32c3f341d21dcb054f3b2804347481c52eec6437
-
SHA256
bda8b07199ccb0aafc6797eaa9d7e7a63dd585f1733b3f6436101949cfbce839
-
SHA512
307a65d54ab732c0290843d53438af6e5e594328792191071d3a0eb6906854462c5d8687b6644c713f1be734b2359101cd4c676dc5ae93619c61acb67e880a3d
-
SSDEEP
6144:pmE1ZqjiDAHmTwsL2V6bbLiqmOqzz+oyM:w6Zqj2WsL2V83MbGoyM
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1652 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2764 soen.exe -
Loads dropped DLL 2 IoCs
pid Process 2096 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe 2096 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2096-0-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/files/0x0008000000017520-17.dat upx behavioral1/memory/2764-20-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzuazack = "C:\\Users\\Admin\\AppData\\Roaming\\Faxial\\soen.exe" soen.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2096 set thread context of 1652 2096 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe 32 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\753E63E5-00000001.eml:OECustomProperty WinMail.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe 2764 soen.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSecurityPrivilege 2096 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe Token: SeSecurityPrivilege 2096 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe Token: SeManageVolumePrivilege 1852 WinMail.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1852 WinMail.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1852 WinMail.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1852 WinMail.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2764 2096 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2764 2096 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2764 2096 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2764 2096 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe 30 PID 2764 wrote to memory of 1100 2764 soen.exe 19 PID 2764 wrote to memory of 1100 2764 soen.exe 19 PID 2764 wrote to memory of 1100 2764 soen.exe 19 PID 2764 wrote to memory of 1100 2764 soen.exe 19 PID 2764 wrote to memory of 1100 2764 soen.exe 19 PID 2764 wrote to memory of 1200 2764 soen.exe 20 PID 2764 wrote to memory of 1200 2764 soen.exe 20 PID 2764 wrote to memory of 1200 2764 soen.exe 20 PID 2764 wrote to memory of 1200 2764 soen.exe 20 PID 2764 wrote to memory of 1200 2764 soen.exe 20 PID 2764 wrote to memory of 1252 2764 soen.exe 21 PID 2764 wrote to memory of 1252 2764 soen.exe 21 PID 2764 wrote to memory of 1252 2764 soen.exe 21 PID 2764 wrote to memory of 1252 2764 soen.exe 21 PID 2764 wrote to memory of 1252 2764 soen.exe 21 PID 2764 wrote to memory of 1180 2764 soen.exe 23 PID 2764 wrote to memory of 1180 2764 soen.exe 23 PID 2764 wrote to memory of 1180 2764 soen.exe 23 PID 2764 wrote to memory of 1180 2764 soen.exe 23 PID 2764 wrote to memory of 1180 2764 soen.exe 23 PID 2764 wrote to memory of 2096 2764 soen.exe 29 PID 2764 wrote to memory of 2096 2764 soen.exe 29 PID 2764 wrote to memory of 2096 2764 soen.exe 29 PID 2764 wrote to memory of 2096 2764 soen.exe 29 PID 2764 wrote to memory of 2096 2764 soen.exe 29 PID 2096 wrote to memory of 1652 2096 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe 32 PID 2096 wrote to memory of 1652 2096 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe 32 PID 2096 wrote to memory of 1652 2096 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe 32 PID 2096 wrote to memory of 1652 2096 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe 32 PID 2096 wrote to memory of 1652 2096 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe 32 PID 2096 wrote to memory of 1652 2096 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe 32 PID 2096 wrote to memory of 1652 2096 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe 32 PID 2096 wrote to memory of 1652 2096 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe 32 PID 2096 wrote to memory of 1652 2096 5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe 32 PID 2764 wrote to memory of 944 2764 soen.exe 34 PID 2764 wrote to memory of 944 2764 soen.exe 34 PID 2764 wrote to memory of 944 2764 soen.exe 34 PID 2764 wrote to memory of 944 2764 soen.exe 34 PID 2764 wrote to memory of 944 2764 soen.exe 34 PID 2764 wrote to memory of 1900 2764 soen.exe 35 PID 2764 wrote to memory of 1900 2764 soen.exe 35 PID 2764 wrote to memory of 1900 2764 soen.exe 35 PID 2764 wrote to memory of 1900 2764 soen.exe 35 PID 2764 wrote to memory of 1900 2764 soen.exe 35 PID 2764 wrote to memory of 2972 2764 soen.exe 36 PID 2764 wrote to memory of 2972 2764 soen.exe 36 PID 2764 wrote to memory of 2972 2764 soen.exe 36 PID 2764 wrote to memory of 2972 2764 soen.exe 36 PID 2764 wrote to memory of 2972 2764 soen.exe 36
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1100
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1200
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5b0cbce55e2774adf8eef9d00ed6b902_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Roaming\Faxial\soen.exe"C:\Users\Admin\AppData\Roaming\Faxial\soen.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpdc7b10a2.bat"3⤵
- Deletes itself
PID:1652
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1180
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1852
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:944
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1900
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD59b3e6ebda4feefbde0091b3787e73253
SHA12ff0516c6a8978af4243b6de0316b36de9d93072
SHA256ae9f62be4f51360ba9b54408818d07145e8d807e9a3f69303f979bef9c3421a7
SHA51261f6d991131086ff44f0b5e28eb8173cdc72d03ccf39abcc44f0cbd2f7bf1fac27294d8cd04e32e6fd520d816692dacdd8e1f0716efc9dad7163f2c143db3184
-
Filesize
271B
MD57357a12c0ff4f4e681fe85ec0b2605b0
SHA1b0ba766c256e053cdb7d64569f3b6df9b288b8ed
SHA256676982222a4400b25ab587298a41192a89823246b3d36b06ce74ae2bc88f99d7
SHA512b48f647948d0801df77569cde55f242b9145123fc01ac765d6ef25c4b5e4fba162b6772ac34fd10195d8e632d08801e830cc40fdb6967ff90843fe7d2a62f9fd
-
Filesize
194KB
MD528af82cea0664726815412fae78201de
SHA19787cd9588f6c4e3a0bc8dc27bc5332f1f38d7cf
SHA256624e943b910bee4881b4676fee099c3c59642fd1dec477dbbcfac549201fb6ec
SHA5121ec977c02c0bf02d72d14ddc1a71b93eae65a1070f29083ff8d0d16d8e594f40dcc7fecddcf3d2f7bedccd4bbbfb4edc37388ac583aa9ce68f66dc0c437636a1