Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 11:10
Static task
static1
Behavioral task
behavioral1
Sample
675893111f243b965cbf829005f0612c_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
675893111f243b965cbf829005f0612c_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
675893111f243b965cbf829005f0612c_JaffaCakes118.exe
-
Size
47KB
-
MD5
675893111f243b965cbf829005f0612c
-
SHA1
bb0f943d4373b30297f02ba3f6c4746faf25a731
-
SHA256
5d36244f243c33c7f0700231d92558d7ea84975310fb34900b7265560ee99e99
-
SHA512
60ee509f19d417209504936521f0494560d331b1f1c9499cb58fdaf6158786604d10135d1a7e97bcc93078aacf03a291fc3d58f982d3b8f60fec756e22393cf0
-
SSDEEP
768:8PZ7qtPegxpQozpzpn7UM4epXNeyvrvlTaXRubLrlFLy/CoNh/BRijM1/f/nKXlB:DBtQOzJUMRNXvxTaXEpI/7hz/3n6B
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2528 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2292 675893111f243b965cbf829005f0612c_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2CE67A11-48E7-11EF-AF97-4E18907FF899} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427896192" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 2292 675893111f243b965cbf829005f0612c_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2292 675893111f243b965cbf829005f0612c_JaffaCakes118.exe Token: 33 2292 675893111f243b965cbf829005f0612c_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2292 675893111f243b965cbf829005f0612c_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2724 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2724 iexplore.exe 2724 iexplore.exe 2076 IEXPLORE.EXE 2076 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2292 wrote to memory of 1828 2292 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 30 PID 2292 wrote to memory of 1828 2292 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 30 PID 2292 wrote to memory of 1828 2292 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 30 PID 2292 wrote to memory of 1828 2292 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 30 PID 1828 wrote to memory of 2724 1828 cmd.exe 32 PID 1828 wrote to memory of 2724 1828 cmd.exe 32 PID 1828 wrote to memory of 2724 1828 cmd.exe 32 PID 1828 wrote to memory of 2724 1828 cmd.exe 32 PID 2724 wrote to memory of 2076 2724 iexplore.exe 33 PID 2724 wrote to memory of 2076 2724 iexplore.exe 33 PID 2724 wrote to memory of 2076 2724 iexplore.exe 33 PID 2724 wrote to memory of 2076 2724 iexplore.exe 33 PID 2292 wrote to memory of 2724 2292 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 32 PID 2292 wrote to memory of 2724 2292 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 32 PID 2292 wrote to memory of 2628 2292 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 34 PID 2292 wrote to memory of 2628 2292 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 34 PID 2292 wrote to memory of 2628 2292 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 34 PID 2292 wrote to memory of 2628 2292 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 34 PID 2292 wrote to memory of 2528 2292 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 35 PID 2292 wrote to memory of 2528 2292 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 35 PID 2292 wrote to memory of 2528 2292 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 35 PID 2292 wrote to memory of 2528 2292 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\675893111f243b965cbf829005f0612c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\675893111f243b965cbf829005f0612c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\cmd.execmd /c start iexplore -embedding2⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -embedding3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2724 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2076
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\gos20BA.bat"2⤵PID:2628
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\675893111f243b965cbf829005f0612c_JaffaCakes118.bat"2⤵
- Deletes itself
PID:2528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b7a3ff023d8640123484a638c8d2bf04
SHA1f552e9e3c63b4148f66a2535b73a5d7eab9aa56a
SHA256789e1a10f0df1d40fdc1a8836c37a4900f133b62278f288082fba9672b377a83
SHA51246204b47582eac9eb830d43e74ddb2efee8befe6f0e23abd4fb85057091a7d46ed062625f5c3a97df56b17604fc1bac4518eb28c9a35599ddff396790cd4cd8e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51b5a832f25e6acd04c8b66a3b97b8903
SHA1c1268636051f44e8ccee8e2921ffe5a4a4f3f247
SHA256730768a9cef312d8f1f028d2b4d3f343cb1489cfa85c7807209d19ccfbb9dd36
SHA5121f3fa92e2b93206ed4cf472cc989e0d06b5551befe44a6ae117479095f333ec9678057fff2b31308709164b3ad5ef7b7d043085d9fb6c88ff687d48515c2a517
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59a58bdda992aa36fd559f6c8c34d4ab4
SHA113446b6949a5b905759d55582ac8bb3be30fdbef
SHA2564bf819ac9861b5c1aade2b9ef202981f08f540febadeb94ba4638ba4717a8ec9
SHA5120bfb64c560dead248fb97422b1450a40c58169abff224f8e69e0eb1963d4954e0ff50fa365fa285cbbf19d64c005b41e792f0da13727050e1a1dff8ac881ec0b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5874ccdaa30cd9c731c5a0b49136f1d18
SHA136fbf21d659062cd7b0df02d98f8423cb2caf266
SHA256e65b0ba93dd98f59401d1e607429e4820a92ae9b9eff53b5d3a5c71ba75cd15b
SHA512ed2e6163341da1389dcf52bd5284034699ccfb6dbebc5c26dabbb2ecd75c39959580966fa2015cc792a6aeebacc2b477302cf4e8be134c27af4a6fcb6b9540c8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56ae1666db31f292a32e3e63ead962068
SHA12f68cca5cf11e46edf53d90af46f7cca4f4e77cc
SHA2563b83a4d1e08ca27d704f0a26297e8626b0840cd1058c8e59666969d76b5b840f
SHA512a922d449efd21aa78cfa3dc63ba5f6585d73ff03988073388a43c9195014efde0c95d8025a098ac8d1fb606c7e57d7309aa67a7784ce4d2d9159b6e79b51cd31
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5279504820416bfbe69ead5ba2d6e017a
SHA11ca420eab834c1c109d98bae4e7759d63d0c303e
SHA25674992e4552ef222d9bed9926c8aeb637b54892e40df6006d801d45746012b396
SHA512d78156ff72cb8b07cab9b4e4afec42a87249737aae534c96f768e813af71987997012cda41959cc57e2be82b27ce0f8ac51735b932b211c2f54b416aa9d3ce88
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58dc7393e08811a3c6955b8c393ae3944
SHA1279e843e4e8a1a65e04aa93f86dbffc7ca8e2e0a
SHA256236d69183ada357da3eb08be210edd4fe4e8fbe1f77cda9c7f6e4f157e5f41a9
SHA512696adb32d5d589dc76385795f67574ac93e87d197fd8e47d450d049f7865a4f468c4ac8a265232f8e4db5a984c7d983c744de3ab653cf26d8258db14d4456783
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD585c763a0c003db22cc2066a4efe18726
SHA19722317cac0127f7b283bc67e9aa2a429a9b4362
SHA25608686ccb81bae30a31886313c1a50c707a718ff211234c3c9bc687ad3e39af1d
SHA512a03bbe4ab10834e6e190b511552f984ca34372a8a3ac6590d9934365a0150a3d726b52de7176e1fc52fcefe84cb8532ad4c27ef08aa0cd5f8e88d40820ccffbb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD580930bd0a861b5f1a49527c0dcf927d7
SHA15387086affef4c3ae7575fb09f201dda03fa9bda
SHA25675ff81f24e9ce10c70933e87a6bc20618203edaa0720ca6cdf96b4cb9b8234be
SHA5122fef1665f5addc0ca1a3ba6333353a593a5bdf02d7d6481537140ad50c975018ede201065b7fc06ee4a8425bb27fb36303a86380e28fde4b43580abac463798b
-
Filesize
307B
MD56a1a7b971a636bc7c4ed9b4517f2bce8
SHA1405d39446276c0c205992fe587ca98942af887bf
SHA2564ab7b5220309fa971de52ca25dc8ec56aba54703ebc4b82cb4f2a35c34edfb0c
SHA512504177882d594ed16277416ec7c392ade5a382e16e0dbbed735c17315d88ba3b8c10660bdcd099d9592d6eb71ae2854692696555fb124fae8ef6fe41c7de1358
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
190B
MD5dba16f7216d6434dae4514a37779ad1c
SHA1c16d511deb4f720c209023e5656603ec2213c598
SHA256027fa3f60187cfca49ad564251ea3ddf639cf28d36238a2a70b1ac312f3359bf
SHA512fd14ebd62e2a782b6ee0dd1f40391ab7672b93ce8ccb24ada710e3ade643aff47561cf28fb01a5f22f1711630b3b9a17a87e2657deb9517ecbfcfaad190cc2e3
-
Filesize
26KB
MD5a5f25b49632f6e91e0a0e8fa0465473f
SHA194a246dea7f6eeadedeacc3df3f353ddea306389
SHA256a000322d6d7ee57b072461f651ecc6feecd5f3441d5353931ab7ab660cfaf913
SHA51285765a3cd9b4c9b1031e0c2d3107ab74da0eef82f7712527e87e85164e718c5cc2e00080326b2fe99764602984d3817e96cda127c1d02cf8ddbc4b99f7141088