Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25/07/2024, 16:02

General

  • Target

    7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe

  • Size

    484KB

  • MD5

    7046c23f48f52b97038e69e782044cbd

  • SHA1

    e3e20833e358a5db26d3393f29e3eb8665aea9aa

  • SHA256

    5fad4bfd723fec95c1bf2427014bfff853d92aab283e8411af08a598a2e86590

  • SHA512

    2694e9b94f99d0e350427fd89408aef3ebd4c4ff656669d7599aca491aaf6547f14da11593d4c6b4bfe9bf22a3ec29abb484891356f169e20cbc6a5aff0ac4ba

  • SSDEEP

    12288:5P9GBWQch+L/ZgHP+v7xK0DmFwUfIp7JVyvWt1aBnSFAPHzeO:5PoBHch+uudKNffiv1aVSaPTeO

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 14 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 54 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious use of UnmapMainImage
    PID:336
  • C:\Users\Admin\AppData\Local\Temp\7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Users\Admin\AppData\Local\Temp\7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Users\Admin\V6oUpCF0mC.exe
        C:\Users\Admin\V6oUpCF0mC.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Users\Admin\naoeyeq.exe
          "C:\Users\Admin\naoeyeq.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2684
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del V6oUpCF0mC.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2956
      • C:\Users\Admin\ayhost.exe
        C:\Users\Admin\ayhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1208
        • C:\Users\Admin\ayhost.exe
          "C:\Users\Admin\ayhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1068
      • C:\Users\Admin\byhost.exe
        C:\Users\Admin\byhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2908
        • C:\Users\Admin\byhost.exe
          "C:\Users\Admin\byhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2324
          • C:\Windows\explorer.exe
            0000003C*
            5⤵
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2940
      • C:\Users\Admin\cyhost.exe
        C:\Users\Admin\cyhost.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:588
        • C:\Users\Admin\cyhost.exe
          C:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Roaming\conhost.exe%C:\Users\Admin\AppData\Roaming
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2128
        • C:\Users\Admin\cyhost.exe
          C:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3000
      • C:\Users\Admin\dyhost.exe
        C:\Users\Admin\dyhost.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2712
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:1632
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2732
  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
    1⤵
    • Loads dropped DLL
    PID:2360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\02E7.7D7

    Filesize

    600B

    MD5

    a3eec1763e0048a9136cf571dc18f086

    SHA1

    d8997a780e7764daaa84ae443045ffa25e6f5d09

    SHA256

    f51d81ff252c5c1d78fe3ca86a80f29a4dfe2a275294a3b45715836c9620be29

    SHA512

    198049f3920465f37c24aa80cf7819651d6963c65fe632a5852ba72cf87c3361276e3a767158b3e54f16969b172bd89433594848ae382f0cea3652e0be34b23d

  • C:\Users\Admin\AppData\Roaming\02E7.7D7

    Filesize

    996B

    MD5

    8c3ff6906b9cfdaf86629ba47fea6a14

    SHA1

    50a0d0e1c18ed636c23900cf7d41b0ae5a67e313

    SHA256

    7b5366f578f4228ab9f42d83eb06b4659ddbd15e9e722ef5b9ebedd1e8e77517

    SHA512

    d3d1eef96a9b04095ce11945b3bd8a7b81c7bf0698d13f908f01aae610118527792e8b8d04e50e86308853d4fd7a57770656c56d7f220f50df0f76328bfea2e6

  • C:\Users\Admin\AppData\Roaming\02E7.7D7

    Filesize

    1KB

    MD5

    e48dd849acf1d7d809b3efd92d4340bd

    SHA1

    036210d5ed2a988a64a884f1fadd838a2c737333

    SHA256

    241ca57ec1659a6337d8af7f97bd76a86387a0b5542e4ddb5bb4f18def57fb52

    SHA512

    0002d3ba2e1cddf2b1f7366b2cf1caebd3824acd616a70a3ce80b08ce9bdf4ee9f925135bbbd05b55d2452e29be95162f69ac73355fcfdeef38dee9ac47960a5

  • C:\Windows\system32\consrv.DLL

    Filesize

    53KB

    MD5

    68689b2e7472e2cfb3f39da8a59505d9

    SHA1

    5be15784ab1193dc13ac24ec1efcabded5fe2df4

    SHA256

    f304eb2cf6479a4fb36fef81c6df4d0225e251002e8f06f26ee196210bf3d168

    SHA512

    269999061cd54b23b92d385689682e687ae9030bc5d26d79dd5e99f72fa4b4eef41f5a7b555325bd558771db92e2feb8a67fb40c87223be9e23ccb498b3bbc88

  • \Users\Admin\V6oUpCF0mC.exe

    Filesize

    332KB

    MD5

    b96dc0230580570446ab648e20a7e3b3

    SHA1

    27483df87ef7093d51062fb2d2fc9944f94c23fb

    SHA256

    2c65220c1c3ec6cb3282759e1d583b598ad43bf09484239325ae06b961bf0af0

    SHA512

    b8dd8743eb45f9dcc0d74b5cf450ef2950482e5c33dcdb5ab9494ad2e396d7ea5ebd80d477fca52a25a46cede6e2c31eb2647612090fda72d7e61e49913c042f

  • \Users\Admin\ayhost.exe

    Filesize

    68KB

    MD5

    2c7c2d4e9c03a1818621def0e1281a81

    SHA1

    c92b29a7f6e9998c7a86b9b57cff15f28647a127

    SHA256

    9fb6cf502b6a872ed2e58666672db9fdc0eb57e6ff5a5677b6dbc8de42193f3e

    SHA512

    431cadf9b1d4de1dd0c5efebd5bae2af2ac0f6c98a2d71a5f7bc72e2421ecf77d67616d805bb643680192de6c8921e894a48a538276492567524c4267a4e4a66

  • \Users\Admin\byhost.exe

    Filesize

    136KB

    MD5

    1d0f81b6e185ec95e716d2a0b2ba69a1

    SHA1

    09399ffa69ae8bfd9794104bc4b7b4f481980e3a

    SHA256

    abe89315434ce50001a90c9bdd662a0c42fa90d95acdf5baed5823d760e4f878

    SHA512

    6c4ecc1346bfc9952d7a1a2cb30ed5076bec24db099bb3fe20a248b19f56c075ff592d03100a1a3660ad5f47dfaff6a64b6b2bebe1bcbc7ce747f968a4c7e6b1

  • \Users\Admin\cyhost.exe

    Filesize

    168KB

    MD5

    234bf3937f8fe09351acc53c059b40d2

    SHA1

    256f162b65eacc7a1fee35722fbfdbd55bba93c7

    SHA256

    86c568452305c3943eb7d1530cef65c75f6fac39d178082783db8b12fc8eef2b

    SHA512

    6c768729abebd0b9bde9712ee827262c433ac928bb638b9176ef7f4085c2d2b4fdfa3cacffdb7da477d23a1e0ce32e63cba2ab9ace1f45dfcc8109b2c68812b7

  • \Users\Admin\dyhost.exe

    Filesize

    24KB

    MD5

    9814ec05c8857737f599ba75b1610fb1

    SHA1

    aa9d9b016c2feda03cf6ad1bbca332070eb9b295

    SHA256

    a68f44fa166ade605dfd2e5827a8ca3fa21141eda423c096d1f41d9bf172e597

    SHA512

    c9daf5d8015ab4d5e0c333b986e04a917a596aef6d61baf43f53e5da346e3e665cd16eb5da35726713689dca991a03fbfa137b7f3f879c77779a477a89a0268d

  • \Users\Admin\naoeyeq.exe

    Filesize

    332KB

    MD5

    a2e4bc084dbbd56769e8297b59dc2932

    SHA1

    82036d17e169a920b9f048661718f16739c3b267

    SHA256

    f962490a4894b49f016339c0f773073bb6030897772ddb7ac8d1408737d26f87

    SHA512

    1e557af983e41b7905ca09d8b087d569765ee23e923554aed0d44b9560252bfa83290f4350612a9a59af5e8683081e5e791d0c47437f0c2a839f07fe78af02af

  • \Windows\assembly\GAC_32\Desktop.ini

    Filesize

    4KB

    MD5

    ff7d5ec20bf73c02317e7a740fffe018

    SHA1

    365ac8cfe5b939854cc1c341caf051bcc45f9372

    SHA256

    1e230847d7034f5ab3bf010f569315e00673859af0574fc9f915636ed905779a

    SHA512

    30854c0d703fd7c6cbc0769d9be4125baa2577ec529d5e48177a434685b66752fd79c50f0321324e23eeb985738f403347748afefae7d8a3bfad388a5b512a44

  • \Windows\assembly\GAC_64\Desktop.ini

    Filesize

    5KB

    MD5

    3e7a118b119428247edfc5d5ef3761bc

    SHA1

    140e4cb00107678160411f016c4c17611580a209

    SHA256

    97c19f4103a16798202e50a501375d0bf3d7ec1bb654dda230337e85b01b1ec5

    SHA512

    b0e27a4d7aa62f937f275b9f413f75857846ae670bf3aed6e55c1db865485fda89e33dcdffa02ae2ab25f48d5f63f869232f9e6d69f9cdc8a5c93f39de09a925

  • memory/336-122-0x0000000000EF0000-0x0000000000F02000-memory.dmp

    Filesize

    72KB

  • memory/588-207-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

  • memory/1068-60-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/1068-62-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/1068-58-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/1068-56-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/1068-54-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/1068-69-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/1068-64-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/1068-67-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/1068-71-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/2128-134-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

  • memory/2320-9-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

  • memory/2320-15-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

  • memory/2320-14-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

  • memory/2320-12-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

  • memory/2320-142-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

  • memory/2320-4-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

  • memory/2320-6-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

  • memory/2320-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2320-338-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

  • memory/2320-2-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

  • memory/2324-93-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2324-86-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2324-82-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2324-84-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2324-88-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2324-90-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2324-96-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2940-97-0x0000000000180000-0x0000000000199000-memory.dmp

    Filesize

    100KB

  • memory/2940-102-0x0000000000180000-0x0000000000199000-memory.dmp

    Filesize

    100KB

  • memory/2940-107-0x0000000000180000-0x0000000000199000-memory.dmp

    Filesize

    100KB

  • memory/3000-206-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB