Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/07/2024, 08:34 UTC
Static task
static1
Behavioral task
behavioral1
Sample
5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
-
Size
286KB
-
MD5
5b30734c86e13b3ecf4c464f8c1f1a66
-
SHA1
d6023ba18d36ab1f3a79e722966cb03a7e02ddff
-
SHA256
563410ebee67ab9c295168c8d26eff9ea363250c2e8a44066acbe85d14e2ad52
-
SHA512
e6ec5ffe5e79b63742558a86510d92c5ccc50525c9a6745096e61c0bcd52532ca9d39867c9c83d0ea56765cb5d71cb0def2e5f8da6bee6036186868f6cd250a4
-
SSDEEP
6144:OVq+UoZyYg4M4crK5XKOKzOVGPwyOV8N0cSCbdJ2rjm:OV2ajbx6pPwPuN0cbb/oi
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1580 3A04.tmp -
Loads dropped DLL 2 IoCs
pid Process 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2320-1-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/2320-2-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2320-11-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1900-13-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1900-14-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/2320-122-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2948-124-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2948-125-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/2320-126-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/2320-301-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2320-305-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2320-306-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\E53.exe = "C:\\Program Files (x86)\\LP\\8891\\E53.exe" 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\8891\E53.exe 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\8891\E53.exe 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\8891\3A04.tmp 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1180 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2512 msiexec.exe Token: SeTakeOwnershipPrivilege 2512 msiexec.exe Token: SeSecurityPrivilege 2512 msiexec.exe Token: SeShutdownPrivilege 1180 explorer.exe Token: SeShutdownPrivilege 1180 explorer.exe Token: SeShutdownPrivilege 1180 explorer.exe Token: SeShutdownPrivilege 1180 explorer.exe Token: SeShutdownPrivilege 1180 explorer.exe Token: SeShutdownPrivilege 1180 explorer.exe Token: SeShutdownPrivilege 1180 explorer.exe Token: SeShutdownPrivilege 1180 explorer.exe Token: SeShutdownPrivilege 1180 explorer.exe Token: SeShutdownPrivilege 1180 explorer.exe Token: SeShutdownPrivilege 1180 explorer.exe Token: SeShutdownPrivilege 1180 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe 1180 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2320 wrote to memory of 1900 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 32 PID 2320 wrote to memory of 1900 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 32 PID 2320 wrote to memory of 1900 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 32 PID 2320 wrote to memory of 1900 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 32 PID 2320 wrote to memory of 2948 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 34 PID 2320 wrote to memory of 2948 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 34 PID 2320 wrote to memory of 2948 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 34 PID 2320 wrote to memory of 2948 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 34 PID 2320 wrote to memory of 1580 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 37 PID 2320 wrote to memory of 1580 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 37 PID 2320 wrote to memory of 1580 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 37 PID 2320 wrote to memory of 1580 2320 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe 37 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\1FFA9\C7688.exe%C:\Users\Admin\AppData\Roaming\1FFA92⤵PID:1900
-
-
C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe startC:\Program Files (x86)\A9F06\lvvm.exe%C:\Program Files (x86)\A9F062⤵PID:2948
-
-
C:\Program Files (x86)\LP\8891\3A04.tmp"C:\Program Files (x86)\LP\8891\3A04.tmp"2⤵
- Executes dropped EXE
PID:1580
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1180
Network
-
Remote address:8.8.8.8:53Requestcsc3-2004-crl.verisign.comIN AResponse
-
Remote address:8.8.8.8:53Requestcx7m.hoststorageforyou.comIN AResponse
-
Remote address:8.8.8.8:53Requestcx7m.hoststorageforyou.comIN A
-
Remote address:8.8.8.8:53Requestpatentgenius.comIN AResponse
-
Remote address:8.8.8.8:53Requestpatentgenius.comIN A
-
Remote address:8.8.8.8:53Request5ptgqew2ey.wwwmediahosts.comIN AResponse
-
Remote address:8.8.8.8:53Request-z92.wwwmediahosts.comIN AResponse
-
Remote address:8.8.8.8:53Request6yqi.hoststorageforyou.comIN AResponse
-
Remote address:8.8.8.8:53RequestTRANSERSDATAFORME.COMIN AResponse
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.180.4
-
Remote address:142.250.180.4:80RequestGET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*
ResponseHTTP/1.0 302 Found
x-hallmonitor-challenge: CgwI9MrotAYQlqWWwgISBMJuDUY
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-RHzFvUWKRtyEaXtlP3Mhmw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Fri, 19 Jul 2024 08:36:04 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVYB7coY2eW3_iGR0XwSyMX5A2AdCtEzDcd-BnRiCjUjbJtebtNB7j9v_E8; expires=Wed, 15-Jan-2025 08:36:04 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
-
Remote address:142.250.180.4:80RequestGET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 302 Found
x-hallmonitor-challenge: CgsI-MrotAYQhIqkexIEwm4NRg
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-zODqvbZ9D8cNRYU4vAWHCw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Fri, 19 Jul 2024 08:36:08 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVYB7crMfqzmKuUrtb4fKYLlVPquFS7jg86f1N0aAfuEYCvIhtdnnPOG0g; expires=Wed, 15-Jan-2025 08:36:08 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
-
GEThttp://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGPfK6LQGIjDHuq3eSAjElvC9MaESFq0Yhwi7GaPgL3xnlnSp_pwh6iAsq1eLMrA9GHioBcAAoGoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exeRemote address:142.250.180.4:80RequestGET /sorry/index?continue=http://www.google.com/&q=EgTCbg1GGPfK6LQGIjDHuq3eSAjElvC9MaESFq0Yhwi7GaPgL3xnlnSp_pwh6iAsq1eLMrA9GHioBcAAoGoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 429 Too Many Requests
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3052
X-XSS-Protection: 0
Connection: close
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
446 B 1.5kB 8 5
HTTP Request
GET http://www.google.com/HTTP Response
302 -
359 B 1.5kB 6 5
HTTP Request
GET http://www.google.com/HTTP Response
302 -
-
142.250.180.4:80http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGPfK6LQGIjDHuq3eSAjElvC9MaESFq0Yhwi7GaPgL3xnlnSp_pwh6iAsq1eLMrA9GHioBcAAoGoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMhttp5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe960 B 3.7kB 10 9
HTTP Request
GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGPfK6LQGIjDHuq3eSAjElvC9MaESFq0Yhwi7GaPgL3xnlnSp_pwh6iAsq1eLMrA9GHioBcAAoGoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMHTTP Response
429 -
-
72 B 127 B 1 1
DNS Request
csc3-2004-crl.verisign.com
-
144 B 145 B 2 1
DNS Request
cx7m.hoststorageforyou.com
DNS Request
cx7m.hoststorageforyou.com
-
124 B 135 B 2 1
DNS Request
patentgenius.com
DNS Request
patentgenius.com
-
74 B 147 B 1 1
DNS Request
5ptgqew2ey.wwwmediahosts.com
-
68 B 141 B 1 1
DNS Request
-z92.wwwmediahosts.com
-
72 B 145 B 1 1
DNS Request
6yqi.hoststorageforyou.com
-
67 B 140 B 1 1
DNS Request
TRANSERSDATAFORME.COM
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
142.250.180.4
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD50836ef6f36e76603d17e41c1f60d6ff2
SHA161624bc59d1ace41d8ee1bf12c7569cb43b6b384
SHA256f234ba7a5d13b4f3b26ab3c6d8b327550f788ae17adfe79c1cd82259fc42098b
SHA5125d861a4484acd3464c8e4ebd8131f494f6078374bf106dc02d77cc0be400bbc1638e7840cef56baff9a7c151461dc2abae9e9d85b7c7c89ab9f79c28d0c28834
-
Filesize
600B
MD515476410dc014f35b7dad512d4d20153
SHA19250d8a68aa0db60891a82a01cd66203e4cadcd4
SHA256ecc8c23809cda18792722bee5c4c2e3333653aa9b832071f8ef997f79386b569
SHA512d640075be5f98deb00e98b24d347a7687e6b624b02fd2e0ba90c98eb061e1e87f1ef28dd14d40a762b9935609129b0b29e9e170145382cf5b53f7428203d8db3
-
Filesize
1KB
MD590d1dac0852abba04b1fa0748b98c9ba
SHA1383991f905f257a71b9321dbfd49ff2f12d0514a
SHA256b3fe67d7ab58cfadf2ed6baee599138116396623d5b59b0f6c0cc150703cab00
SHA512bf38d1be2175920c5d7f8d897d0854f95031b34862e2f522d0599dfda6f1e887ee3de7a9d67459a338cd498cd91b3e0a89c6288f446014b6976413d00a57c8c9
-
Filesize
101KB
MD5c932041a7e800a1a80890dbe7d984243
SHA1275e521889eaca58e193a5e7a6675fd08a6b6418
SHA2562890d67e3a1b817a45e95fb5d7238c2761fad5a0c9fec3280e1be2c1a00d5c02
SHA512b111ade33c5982232722d81f9c1329c3d875aa1be7a8870371cff9eba51390c05d70b9ce680241932463459fb550ded667a702e754a762f88d88e73b850275ef