Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20/07/2024, 08:28
Static task
static1
Behavioral task
behavioral1
Sample
5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
5fc17490c95c2ff2641f5543f3ce1dea
-
SHA1
d39b139c9cca542f423623f85a8c1833dad34902
-
SHA256
beefe556c769966d5fb10ffb888c5d4983dce84185ba47ecc5a5ff4b36006d46
-
SHA512
54eae9e1d2070e133d0e41e1f8d10530ac84aca04d8fb62c5a1e53a5f3ba3d082963b04158ce3a15c3ca425d553e46d1d122bff637aba71f80a86b2434843937
-
SSDEEP
24576:lPWmOKWvpckja5YOXEbj+Veniiv1gOpJ8Y3Sdr:lP2KWGzxiv12
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Executes dropped EXE 2 IoCs
pid Process 2280 msnmsgr.exe 2172 msnmsgr.exe -
Loads dropped DLL 7 IoCs
pid Process 1828 5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe 1828 5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe 2280 msnmsgr.exe 2280 msnmsgr.exe 2172 msnmsgr.exe 2172 msnmsgr.exe 2172 msnmsgr.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\msnmsgr.exe = "C:\\Users\\Admin\\AppData\\Roaming\\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\\0.0.0.0\\msnmsgr.exe" msnmsgr.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2172 set thread context of 2776 2172 msnmsgr.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 4 IoCs
pid Process 1148 reg.exe 2804 reg.exe 1196 reg.exe 2584 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 2776 vbc.exe Token: SeCreateTokenPrivilege 2776 vbc.exe Token: SeAssignPrimaryTokenPrivilege 2776 vbc.exe Token: SeLockMemoryPrivilege 2776 vbc.exe Token: SeIncreaseQuotaPrivilege 2776 vbc.exe Token: SeMachineAccountPrivilege 2776 vbc.exe Token: SeTcbPrivilege 2776 vbc.exe Token: SeSecurityPrivilege 2776 vbc.exe Token: SeTakeOwnershipPrivilege 2776 vbc.exe Token: SeLoadDriverPrivilege 2776 vbc.exe Token: SeSystemProfilePrivilege 2776 vbc.exe Token: SeSystemtimePrivilege 2776 vbc.exe Token: SeProfSingleProcessPrivilege 2776 vbc.exe Token: SeIncBasePriorityPrivilege 2776 vbc.exe Token: SeCreatePagefilePrivilege 2776 vbc.exe Token: SeCreatePermanentPrivilege 2776 vbc.exe Token: SeBackupPrivilege 2776 vbc.exe Token: SeRestorePrivilege 2776 vbc.exe Token: SeShutdownPrivilege 2776 vbc.exe Token: SeDebugPrivilege 2776 vbc.exe Token: SeAuditPrivilege 2776 vbc.exe Token: SeSystemEnvironmentPrivilege 2776 vbc.exe Token: SeChangeNotifyPrivilege 2776 vbc.exe Token: SeRemoteShutdownPrivilege 2776 vbc.exe Token: SeUndockPrivilege 2776 vbc.exe Token: SeSyncAgentPrivilege 2776 vbc.exe Token: SeEnableDelegationPrivilege 2776 vbc.exe Token: SeManageVolumePrivilege 2776 vbc.exe Token: SeImpersonatePrivilege 2776 vbc.exe Token: SeCreateGlobalPrivilege 2776 vbc.exe Token: 31 2776 vbc.exe Token: 32 2776 vbc.exe Token: 33 2776 vbc.exe Token: 34 2776 vbc.exe Token: 35 2776 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2776 vbc.exe 2776 vbc.exe 2776 vbc.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1828 wrote to memory of 2280 1828 5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe 31 PID 1828 wrote to memory of 2280 1828 5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe 31 PID 1828 wrote to memory of 2280 1828 5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe 31 PID 1828 wrote to memory of 2280 1828 5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe 31 PID 2280 wrote to memory of 2172 2280 msnmsgr.exe 32 PID 2280 wrote to memory of 2172 2280 msnmsgr.exe 32 PID 2280 wrote to memory of 2172 2280 msnmsgr.exe 32 PID 2280 wrote to memory of 2172 2280 msnmsgr.exe 32 PID 2172 wrote to memory of 2776 2172 msnmsgr.exe 33 PID 2172 wrote to memory of 2776 2172 msnmsgr.exe 33 PID 2172 wrote to memory of 2776 2172 msnmsgr.exe 33 PID 2172 wrote to memory of 2776 2172 msnmsgr.exe 33 PID 2172 wrote to memory of 2776 2172 msnmsgr.exe 33 PID 2172 wrote to memory of 2776 2172 msnmsgr.exe 33 PID 2172 wrote to memory of 2776 2172 msnmsgr.exe 33 PID 2172 wrote to memory of 2776 2172 msnmsgr.exe 33 PID 2776 wrote to memory of 2588 2776 vbc.exe 34 PID 2776 wrote to memory of 2588 2776 vbc.exe 34 PID 2776 wrote to memory of 2588 2776 vbc.exe 34 PID 2776 wrote to memory of 2588 2776 vbc.exe 34 PID 2776 wrote to memory of 2596 2776 vbc.exe 35 PID 2776 wrote to memory of 2596 2776 vbc.exe 35 PID 2776 wrote to memory of 2596 2776 vbc.exe 35 PID 2776 wrote to memory of 2596 2776 vbc.exe 35 PID 2776 wrote to memory of 1540 2776 vbc.exe 36 PID 2776 wrote to memory of 1540 2776 vbc.exe 36 PID 2776 wrote to memory of 1540 2776 vbc.exe 36 PID 2776 wrote to memory of 1540 2776 vbc.exe 36 PID 2776 wrote to memory of 2540 2776 vbc.exe 37 PID 2776 wrote to memory of 2540 2776 vbc.exe 37 PID 2776 wrote to memory of 2540 2776 vbc.exe 37 PID 2776 wrote to memory of 2540 2776 vbc.exe 37 PID 2540 wrote to memory of 2804 2540 cmd.exe 42 PID 2540 wrote to memory of 2804 2540 cmd.exe 42 PID 2540 wrote to memory of 2804 2540 cmd.exe 42 PID 2540 wrote to memory of 2804 2540 cmd.exe 42 PID 1540 wrote to memory of 1196 1540 cmd.exe 43 PID 1540 wrote to memory of 1196 1540 cmd.exe 43 PID 1540 wrote to memory of 1196 1540 cmd.exe 43 PID 1540 wrote to memory of 1196 1540 cmd.exe 43 PID 2596 wrote to memory of 2584 2596 cmd.exe 44 PID 2596 wrote to memory of 2584 2596 cmd.exe 44 PID 2596 wrote to memory of 2584 2596 cmd.exe 44 PID 2596 wrote to memory of 2584 2596 cmd.exe 44 PID 2588 wrote to memory of 1148 2588 cmd.exe 45 PID 2588 wrote to memory of 1148 2588 cmd.exe 45 PID 2588 wrote to memory of 1148 2588 cmd.exe 45 PID 2588 wrote to memory of 1148 2588 cmd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe"C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Roaming\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\0.0.0.0\msnmsgr.exeC:\Users\Admin\AppData\Roaming\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\0.0.0.0\msnmsgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- Modifies registry key
PID:1148
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f5⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- Modifies registry key
PID:2584
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- Modifies registry key
PID:1196
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f5⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- Modifies registry key
PID:2804
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\0.0.0.0\User32.dll
Filesize18KB
MD55fa07d6c6384d703766d7935de68850e
SHA162f28a572b4d1d359db7017235912ad2599b8c1d
SHA256120e15dcc4a957649553cd92a5477db9dcbfd9a2cd821e1c904044b5a92d726f
SHA5127775375f44e0cb00f9bffc023d797dbdb01ebe8429ccfacd7df57beb04427ef309c192d571051242aad1bc400f721f449f86deeb1e5f5d64b6f516bf24e92cc4
-
Filesize
760KB
MD543cad5f1c98c84a4bd4b9825e7ce1cbb
SHA11e37248419ac06e1cefd5238c7e5945af41ee3eb
SHA256c704cf2ac3792a28a7b325e28bbd839a7a9cd3ebe950f42487b7f4dab8757cba
SHA512d8e3d1fc5a06fe0cf50ce980b4ff7f3c56c33464a759f7a215482ee66e0a524e0975db0b3116ef53d04df41d674df3a07d6badb9dd36b99f12aaa5e048191e02