Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/07/2024, 10:34
Behavioral task
behavioral1
Sample
6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe
-
Size
77KB
-
MD5
6f38ca18877da4532b7ad3b69349a1d4
-
SHA1
793fa2dc9a9d108f215be45d39533c95ff7661b6
-
SHA256
edce7ba96dd0f05c060f9085cf2735979a8d026fe0ceef484af9b36b356e72ce
-
SHA512
fb1d353672dd794bc4d30dd739a7bd56a871e56c30a1e4b458562acd0c8a5d0404b43b80a403fd76f4d9b639848a9c79c46f049c124314b678457021fc4f8491
-
SSDEEP
1536:/QwOc0tE2Lfa9j336w5PQeTOJXOi4WEWod+58WUOW+RGaCCUn4Qy:/FsxfyHdh7TOdOi4JWod+58UW+RGaC/E
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2068 servar.exe -
resource yara_rule behavioral1/memory/2532-1-0x0000000000400000-0x0000000001A97000-memory.dmp vmprotect behavioral1/memory/2532-31-0x0000000000400000-0x0000000001A97000-memory.dmp vmprotect -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\windows\Comres.dll 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe File created C:\windows\servar.exe 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language servar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A\Blob = 03000000010000001400000068a12de4422589e97e1c6396fe17b5024fe0547a2000000001000000600200003082025c308201c5a0030201020210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405003036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d204732301e170d3131303531393134333632345a170d3339313233313233353935395a3036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d20473230819f300d06092a864886f70d010101050003818d0030818902818100ae2150b067d03ac307c1d6cfb294b8e57d1ec3335542584552a96b7926d1b95483aa79a52165c6c18b4aa502ca2f736d2ea84a299def604899f8a50b9932200c00a32c187fdfed2fb767783c1d6c27e55fee9aeb5d7b1085cb8fcc151bdebcdbecc5748cbb451b20f5ecd9e197c154e477d9d5d6a0cf8e9dabaf4e07fbf5f79f0203010001a36b306930670603551d010460305e80102128591d26a9fe32d38e84450f52f750a1383036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d2047328210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405000381810069c4dcd3b8649bd6c952a0251d6a645c98c3d94ba7a9945992ee06fdbc1d36c53f9e4c77f25f77b6ad4df7599089a7d68cf89221fc49fda540341c833f692ee6cdd740da4b599e9a902c325b2de32d3657d8cf1206883b2e8296ab9c1d4ef406603a138ce17b8ee0740c990c99774f63fe8f8d5bd35d35591d2a3d6675b49967 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2532 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeBackupPrivilege 2532 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe Token: SeRestorePrivilege 2532 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2068 2532 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe 30 PID 2532 wrote to memory of 2068 2532 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe 30 PID 2532 wrote to memory of 2068 2532 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe 30 PID 2532 wrote to memory of 2068 2532 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe 30 PID 2532 wrote to memory of 1968 2532 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe 31 PID 2532 wrote to memory of 1968 2532 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe 31 PID 2532 wrote to memory of 1968 2532 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe 31 PID 2532 wrote to memory of 1968 2532 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\windows\servar.exe"C:\windows\servar.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068
-
-
C:\Windows\SysWOW64\cmd.execmd /c afc9fe2f418b00a0.bat2⤵
- System Location Discovery: System Language Discovery
PID:1968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5718b255b19ac24971a1c5de3a3dce33c
SHA1958044b7075e31c765fb9d85c5fdaf79bb4b7441
SHA2560e8eb42a5a28c2892bf90c24027a31e3574e9ab2198228594deb1016d2e03678
SHA512ef27781fd0b56b0fd75c1824b17cf6edd6713069dc88638bc0914e2267e883352d014bde9cf407e6ec32d76000d0a7e6fe11be02f31054449e74774785f5402d
-
Filesize
22.4MB
MD5f85bf6b63d6900fe957ec3de292963fe
SHA1014504f74bfa4ceb0fee528e9f8ebfaef3ba5906
SHA2568991cdf1bdfb0fd59441543f03b5e0d8f4951c9ea84737f18d0423a67a2d731d
SHA512ca3ca75368b179e4b05356d2e355714e8e04ddd4110241d8f62f9b52a7972322a051b32d3cfa145af7debb49c1347c5ca8c33daeed46e362979e6ba3d2b5bc86