Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 16:29
Static task
static1
Behavioral task
behavioral1
Sample
74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe
-
Size
152KB
-
MD5
74d4a56cc18a6e84c02706ba4884c00e
-
SHA1
f3c8300e5bb4913c61cabfe0f080278d46c61850
-
SHA256
5f90b124f1209fa7871d1024d0f0f618cd131006a1ca1718c4a2bbb93ea1cf07
-
SHA512
3b90c34cfdfdf7b3e8cc09bd0f96c361ba6d56f86d686cc7e396ea4f15805d02e3bd0111051964c577103029205ecfe769cefe3be483485cadcf8ee17dd56f04
-
SSDEEP
3072:3ckNHUjeZI2bKLrA4jk2SD1P3ASMog4pjTpVgsV5:pNSeW2bKL1aD1PPMoRjTpz5
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\U: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\T: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\R: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\Q: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\P: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\H: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\W: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\O: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\N: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\X: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\V: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\K: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\J: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\I: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\G: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\E: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\Z: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\S: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\M: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened (read-only) \??\L: 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened for modification F:\autorun.inf 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\MSACCESS.EXE 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\MSPUB.EXE 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\OIS.EXE 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\ONENOTE.EXE 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\OUTLOOK.EXE 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\EXCEL.EXE 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\GROOVE.EXE 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\INFOPATH.EXE 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log winword.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2760 2628 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winword.exe -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2864 winword.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2628 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2864 winword.exe 2864 winword.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2628 wrote to memory of 2864 2628 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe 31 PID 2628 wrote to memory of 2864 2628 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe 31 PID 2628 wrote to memory of 2864 2628 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe 31 PID 2628 wrote to memory of 2864 2628 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe 31 PID 2628 wrote to memory of 2760 2628 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe 32 PID 2628 wrote to memory of 2760 2628 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe 32 PID 2628 wrote to memory of 2760 2628 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe 32 PID 2628 wrote to memory of 2760 2628 74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe 32 PID 2864 wrote to memory of 2656 2864 winword.exe 34 PID 2864 wrote to memory of 2656 2864 winword.exe 34 PID 2864 wrote to memory of 2656 2864 winword.exe 34 PID 2864 wrote to memory of 2656 2864 winword.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\74d4a56cc18a6e84c02706ba4884c00e_JaffaCakes118.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Program Files (x86)\Microsoft Office\Office14\winword.exe"C:\Program Files (x86)\Microsoft Office\Office14\winword.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2656
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 3122⤵
- Program crash
PID:2760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5d196b35c63a334ad43f17ac04a9de5bb
SHA18e052ad30fba2d311687e453bdc7a28740cc4988
SHA256d37ad29cb4520f49c9067c0ee99b8abee5bd7e44a96c1ac97bb8938f346461bc
SHA512181f19cd2882684cebce171e18a83f693cfafef2d270f14fc27c38250550607de30d87c42642b05dd7a6656b06d6a85de583d586e6ecb06aaf9bff7abe0a1803
-
Filesize
126B
MD5163e20cbccefcdd42f46e43a94173c46
SHA14c7b5048e8608e2a75799e00ecf1bbb4773279ae
SHA2567780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e
SHA512e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8
-
Filesize
152KB
MD5d03850bfe9569d9f027e8d5e08176741
SHA158df1615d8bf2b093036c400603cdb1cd45933b8
SHA256fe84161c4ecd2f5da60d5fd8a45c7a0153ad7cd94b63d2757e35c4d529040f5b
SHA512be8a224bb23c04d5aa6cb329b980ee222d7115e8a7e683a29224a20a4727b5b1ab6b0b5628c7e71d95d64b543fbcf1e11b3fde9e20e09642c50b5ad37f468708
-
Filesize
151KB
MD5aba4475e702a86ce8ab6b484056602c2
SHA14b6fa3f13485f07b7b89f05a8352735edcd896c6
SHA256b70f922d06473420a733f49f020c6516d81f19cdc873eae94fac11b3ad30cdb1
SHA51288b27c0a512a5c8f432b7bdb3d55fabf76f1be1bb70c47904217871db1da42843a8df9e43fb2ba9efc9aeee6896ce835a14bcfd345df5bb36833cb3d25832a39