Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
20/07/2024, 05:18
Static task
static1
Behavioral task
behavioral1
Sample
5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
-
Size
770KB
-
MD5
5f2aaa3458a8a94a91dd71586935b2b2
-
SHA1
a16221e31c960dafe501a3fca7e394d92c0e0682
-
SHA256
af351378c41c581f1f9b8fb2d80090e4aa1ec844c417eb0ebae479be4cbc6ce3
-
SHA512
fc3a35ba008523cb21e4006b34e5fcf7e8935471c4ccf40661737dad62f5de4acc0e83f8d7692517e93488b06290edb913a0e9f9a790c54dde06bdacb055e094
-
SSDEEP
12288:0krXV6E2/ZX7kGRE/E2HjwZCSBcbn68wGhQ4kkR7DaKAa9VSaQwBirzeF58Lm32:XF6E2BX4qByk4vwGhQ4w+BomWY2
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scrss.exe = "\"C:\\Users\\Admin\\AppData\\Local\\scrss.exe \"" reg.exe -
Executes dropped EXE 2 IoCs
pid Process 2400 option.exe 2992 scrss.exe -
Loads dropped DLL 6 IoCs
pid Process 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 2992 scrss.exe 2400 option.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 2976 reg.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 2992 scrss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2992 scrss.exe 2400 option.exe 2400 option.exe 2400 option.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1872 wrote to memory of 2400 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 30 PID 1872 wrote to memory of 2400 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 30 PID 1872 wrote to memory of 2400 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 30 PID 1872 wrote to memory of 2400 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 30 PID 1872 wrote to memory of 2992 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 31 PID 1872 wrote to memory of 2992 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 31 PID 1872 wrote to memory of 2992 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 31 PID 1872 wrote to memory of 2992 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 31 PID 1872 wrote to memory of 2932 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 32 PID 1872 wrote to memory of 2932 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 32 PID 1872 wrote to memory of 2932 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 32 PID 1872 wrote to memory of 2932 1872 5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe 32 PID 2932 wrote to memory of 2096 2932 cmd.exe 34 PID 2932 wrote to memory of 2096 2932 cmd.exe 34 PID 2932 wrote to memory of 2096 2932 cmd.exe 34 PID 2932 wrote to memory of 2096 2932 cmd.exe 34 PID 2096 wrote to memory of 2976 2096 cmd.exe 35 PID 2096 wrote to memory of 2976 2096 cmd.exe 35 PID 2096 wrote to memory of 2976 2096 cmd.exe 35 PID 2096 wrote to memory of 2976 2096 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\option.exe"C:\Users\Admin\AppData\Local\option.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2400
-
-
C:\Users\Admin\AppData\Local\scrss.exe"C:\Users\Admin\AppData\Local\scrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2992
-
-
C:\Windows\SysWOW64\cmd.execmd /c syscheck.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V scrss.exe /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V scrss.exe /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f4⤵
- Adds policy Run key to start application
- Modifies registry key
PID:2976
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
353B
MD534f21c84d701e9c9f70780e52adb1de9
SHA151bf0edd36084a1339551847cd016f32d500b357
SHA2561fc5f81e15c3747611c33f26441ebd0c4f57b2baa7756d5cc718a7f8358890d2
SHA512abbe67d3ce94a134c67fe4dc473e49f5a8fcda20d1c699196431c44bd533949c3c26e1b51a5bfd4806dbdae17adf41d479052509a147afe07b3cc30db97dd5f2
-
Filesize
168B
MD50d92b381efa1a49bd3cc2cf3ff28bd45
SHA123fac6be89436f94a4f8fca5057be514c787b9b6
SHA256b5b5a4055d2b10d9e6af0580c28ee9099632cc36eaa946ce442f65a77ee92e84
SHA51278b611a37cf21a0bb26204f0f3057b5d800be3c2ad8190af06725e82bdcc883473cb0087f1f7bc8c0199467d14282ea92d340421d8bf796f7e45451727f66391
-
Filesize
92KB
MD58a5e40eb6518353e5758e5b237897c78
SHA1dd452e565485f48c2131dadc40a32b0d3007cef6
SHA2565f8ba5c1522847452d92b507770bfb454548d8a02232040c6be4323792400d4f
SHA512c941b82c3bd6be61506ac9215ab8e26983a8654444703b5a0236739a3b50a498ed0c65054b68481c026123d88b0f0e9e36f92b0f0028b4cc034345ec17f3b268
-
Filesize
237KB
MD5c8c37aa823da020c7bc6c86752e2d3f5
SHA19c8dcc78b838ba7cf33160b48dfd7a061ff1318e
SHA25652e24c3734c8656dff8603d706cf711bd63fd120d19633e7c0c4568f54e249c9
SHA512b2129ebd8205e6bd4be4a34e8f09a4e0c0f2882cdde7afe631206d76ea50799fae8be61cbb4ebf8af3f5b883d852ec5fbfe868ab81007d46deadeded81316a63
-
Filesize
232KB
MD581834d4397b63bd30f869289df27e810
SHA10a969151a4b1f227be7c7b4643f44eff32d3e5af
SHA256343e9ecd7836063440cf7e3d7002af182047fbde667e6d2eaae9021975385452
SHA51257e52f62b9f1922a2a5e435f461387cba50bd5a6fd93b750c98d3a69f806264416023c7fc5f31f118110fb8d729cdcf6c0516e7c3a496b5040876a1999e684a8