Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2024, 00:59
Static task
static1
Behavioral task
behavioral1
Sample
5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe
-
Size
459KB
-
MD5
5e6b6a20d040922e798e3f318c39884e
-
SHA1
c44dd1ea7e4733e1087ff8b4645c10a19fb1f788
-
SHA256
3c5f4ff9125a06d4d71b66549abcf769a045140c3d8ce43684295c21225277e4
-
SHA512
fed8e286b532a8690bb9fb06bf3f9326095dea62e679437e46d4c64e5ca9bb3e8c04fbd1092f83ae46b64ba52cc294398ea627c0bd5ebe7d91341e8c0acb9149
-
SSDEEP
6144:q3Jn75HovZRFG5RryDoSOxrbkm3tTQl35x/pnt1ImPhuAFzsGc3Sk6pQQKN8Q2ZN:eIxneZnx53aN5nPEApcje9KWvl
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" services.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3216 fservice.exe 828 services.exe -
Loads dropped DLL 5 IoCs
pid Process 828 services.exe 828 services.exe 828 services.exe 3216 fservice.exe 2860 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ services.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\fservice.exe 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fservice.exe 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe File created C:\Windows\SysWOW64\fservice.exe fservice.exe File opened for modification C:\Windows\SysWOW64\fservice.exe fservice.exe File created C:\Windows\SysWOW64\wininv.dll services.exe File created C:\Windows\SysWOW64\winkey.dll services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\system\sservice.exe fservice.exe File created C:\Windows\system\sservice.exe services.exe File created C:\Windows\system\sservice.exe 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe File opened for modification C:\Windows\system\sservice.exe 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe File created C:\Windows\services.exe fservice.exe File opened for modification C:\Windows\services.exe fservice.exe File created C:\Windows\system\sservice.exe fservice.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ fservice.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" fservice.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key fservice.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe 828 services.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 828 services.exe 828 services.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2860 wrote to memory of 3216 2860 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe 85 PID 2860 wrote to memory of 3216 2860 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe 85 PID 2860 wrote to memory of 3216 2860 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe 85 PID 3216 wrote to memory of 828 3216 fservice.exe 86 PID 3216 wrote to memory of 828 3216 fservice.exe 86 PID 3216 wrote to memory of 828 3216 fservice.exe 86 PID 828 wrote to memory of 4288 828 services.exe 87 PID 828 wrote to memory of 4288 828 services.exe 87 PID 828 wrote to memory of 4288 828 services.exe 87 PID 828 wrote to memory of 2368 828 services.exe 88 PID 828 wrote to memory of 2368 828 services.exe 88 PID 828 wrote to memory of 2368 828 services.exe 88 PID 2860 wrote to memory of 3532 2860 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe 91 PID 2860 wrote to memory of 3532 2860 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe 91 PID 2860 wrote to memory of 3532 2860 5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe 91 PID 2368 wrote to memory of 2696 2368 NET.exe 93 PID 2368 wrote to memory of 2696 2368 NET.exe 93 PID 2368 wrote to memory of 2696 2368 NET.exe 93 PID 4288 wrote to memory of 2068 4288 NET.exe 94 PID 4288 wrote to memory of 2068 4288 NET.exe 94 PID 4288 wrote to memory of 2068 4288 NET.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\fservice.exeC:\Windows\system32\fservice.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\services.exeC:\Windows\services.exe -XP3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\NET.exeNET STOP SharedAccess4⤵
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SharedAccess5⤵PID:2068
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP navapsvc4⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP navapsvc5⤵PID:2696
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\5e6b6a20d040922e798e3f318c39884e_JaffaCakes118.exe.bat2⤵PID:3532
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133B
MD586e31403b28c8a2787662a6de77e9afb
SHA12145ef598f072ba90a361668851c27b3cea90bc8
SHA25689536e1763d77b028305a0f621a8e90093e20de8e16b363b35eceb827ef696ea
SHA512a688b2feb391a00e954d80768682731874afa54aa8e18650f52786cd92a6ba8e5e9813de2f42198dec1f851b7c01aaf4f930deea48842c693542a0d505a78ab5
-
Filesize
459KB
MD55e6b6a20d040922e798e3f318c39884e
SHA1c44dd1ea7e4733e1087ff8b4645c10a19fb1f788
SHA2563c5f4ff9125a06d4d71b66549abcf769a045140c3d8ce43684295c21225277e4
SHA512fed8e286b532a8690bb9fb06bf3f9326095dea62e679437e46d4c64e5ca9bb3e8c04fbd1092f83ae46b64ba52cc294398ea627c0bd5ebe7d91341e8c0acb9149
-
Filesize
24KB
MD5368b318d2cc9adbea49cef0074d17e96
SHA1b18760f14e568d8f774964134aa1f7e867f4051e
SHA256d39f82d8b6f8762d1d441925c70a07573fcc185a32b87849fb883fc5b8466da1
SHA51233d1c669e26baa2359a286a94ca3acc6fefc78bf4bdfadee8299e8370678e9e22eefb68525871e2bd7bed36bfd04b2cdbed0812e51deb15fc957f5a40cd02dc5
-
Filesize
24KB
MD5ce854a2715fe2383ea7a1884ba94f39b
SHA13cd0418e3d797006e1781d42f3b85a228510132b
SHA25619a30d817b19281c797c46e1aa48c27799896f2725b4ad9e434968a2e3d38965
SHA51214f21a59f17c8d6e3411ffd820f258f4ec933494638931c59afb466d9901ba7431263c36bdc2790ff28752d4176c506581c0bc4b0d9e941c0fd061713c585604