Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 19:49
Static task
static1
Behavioral task
behavioral1
Sample
757890834362fdd5a0335667192b9266_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
757890834362fdd5a0335667192b9266_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
757890834362fdd5a0335667192b9266_JaffaCakes118.exe
-
Size
3.4MB
-
MD5
757890834362fdd5a0335667192b9266
-
SHA1
17c4b9bed61dc54fd04509a3d3bc36e6ee27ba4b
-
SHA256
229558dc23ef25b30520260dc82ff282bf8f51c9423f0a2a7079fe955643ce69
-
SHA512
e443a20bf95379480951661f65b19bb655b5a191f138ce854cc9f40592834dfafe086aba5ee7a5b4741b6318f30099c1134c307ef0fbadc42d11b16b85a8f4ee
-
SSDEEP
49152:lIr7GGaITDEZxISJJCLZGhUcwM7FVSR0S67b8pbhpkjJY7X1XuYfrKrboYgOs:LZxT6cwU/zSbbhAJYr1XuYfrCYOs
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Minhdder\ParameteRS\ServiceDll = "%SystemRoot%\\System32\\skfloo.dll" 1.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\Minhdder\ParameteRS\ServiceDll = "%SystemRoot%\\System32\\skfloo.dll" 1.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\Minhdder\ParameteRS\ServiceDll = "%SystemRoot%\\System32\\skfloo.dll" 1.exe -
Executes dropped EXE 2 IoCs
pid Process 2936 1.exe 2208 2.exe -
Loads dropped DLL 2 IoCs
pid Process 2936 1.exe 1888 svchost.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\ 5700d.001 1.exe File created C:\Windows\SysWOW64\skfloo.dll 1.exe File created C:\Windows\SysWOW64\skfloo.sys 1.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\1.vbs 757890834362fdd5a0335667192b9266_JaffaCakes118.exe File created C:\Windows\__tmp_rar_sfx_access_check_259466494 757890834362fdd5a0335667192b9266_JaffaCakes118.exe File created C:\Windows\1.exe 757890834362fdd5a0335667192b9266_JaffaCakes118.exe File opened for modification C:\Windows\1.exe 757890834362fdd5a0335667192b9266_JaffaCakes118.exe File created C:\Windows\2.exe 757890834362fdd5a0335667192b9266_JaffaCakes118.exe File opened for modification C:\Windows\2.exe 757890834362fdd5a0335667192b9266_JaffaCakes118.exe File created C:\Windows\1.vbs 757890834362fdd5a0335667192b9266_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 757890834362fdd5a0335667192b9266_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2208 2.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 476 Process not Found -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1708 wrote to memory of 2856 1708 757890834362fdd5a0335667192b9266_JaffaCakes118.exe 30 PID 1708 wrote to memory of 2856 1708 757890834362fdd5a0335667192b9266_JaffaCakes118.exe 30 PID 1708 wrote to memory of 2856 1708 757890834362fdd5a0335667192b9266_JaffaCakes118.exe 30 PID 1708 wrote to memory of 2856 1708 757890834362fdd5a0335667192b9266_JaffaCakes118.exe 30 PID 2856 wrote to memory of 2688 2856 WScript.exe 31 PID 2856 wrote to memory of 2688 2856 WScript.exe 31 PID 2856 wrote to memory of 2688 2856 WScript.exe 31 PID 2856 wrote to memory of 2688 2856 WScript.exe 31 PID 2856 wrote to memory of 3024 2856 WScript.exe 33 PID 2856 wrote to memory of 3024 2856 WScript.exe 33 PID 2856 wrote to memory of 3024 2856 WScript.exe 33 PID 2856 wrote to memory of 3024 2856 WScript.exe 33 PID 2688 wrote to memory of 2936 2688 cmd.exe 35 PID 2688 wrote to memory of 2936 2688 cmd.exe 35 PID 2688 wrote to memory of 2936 2688 cmd.exe 35 PID 2688 wrote to memory of 2936 2688 cmd.exe 35 PID 3024 wrote to memory of 2208 3024 cmd.exe 36 PID 3024 wrote to memory of 2208 3024 cmd.exe 36 PID 3024 wrote to memory of 2208 3024 cmd.exe 36 PID 3024 wrote to memory of 2208 3024 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\757890834362fdd5a0335667192b9266_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\757890834362fdd5a0335667192b9266_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WINDOWS\1.vbs"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c 1.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\WINDOWS\1.exe1.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2936
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c 2.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\WINDOWS\2.exe2.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2208
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k Minhdder1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD5432652519654357dd6550320f2c636b4
SHA1ee0df6ac1b21b0f85fa264cf3285c11a82528d0f
SHA25634d12e38b2c31b85ea5fd0a76a28f9b7c2347c2b8abf7465eb0489875e0ea42d
SHA51264c201bccda1cc001a477d1ac279e18c11dacb7530f0723e547bf3c4397a706f98dde14a4e62d7303a591545e84713ee00df8a6f589f87d7806c27b3b4ada922
-
Filesize
98B
MD5519bc6ba1dee20d7b8ec37d6a8e93cad
SHA1d82348921cd64d006d096765434180ba66c81e12
SHA25685e8d49f9921b5352c2e1f5300d26776683b98798cbb5572b6a520c4f6ed8467
SHA5122ae1d66c7c5cffd053ef1cd8a220f8e268d8c24e11288aca142f4b1a28577e201ecd7898eb2e8c65d6b1f766eef6f6f99066380e0aae0c616854ab43662a0dbf
-
Filesize
3.3MB
MD5d0f78b68a8171c54a0760bb0ae7bb174
SHA12e281788cb63f347718f420b245a7db00b56b8ea
SHA2565d7ba8d7e359c837234039b6ff1b34fad0a288f91b66918fcc66002392e5e140
SHA5129c75c7bcaa2a47b488742553820ede72edf7218bbb326c667542826235dd8ddd56f876520725b9168abc7e15954cc9a4c9dc60a28a37853775cd3adf62496843
-
Filesize
104KB
MD578da1c202095a2d96a9d8576a11147fe
SHA122847e4e26cea039f5a2a0850bfe8694bba9bcc3
SHA256ada8d9d4570dc420e7a6ac03f6ec870eb89bd68c2b1ac163b7b5603ff53c7d86
SHA51265829b8439bf44a2247d7e3295d798ea6633319ce45238eb38a539abb3466b23647e716f995713f97b7920d0e8e6c4ed0c32faa9e7be2857e1ad462c34439f01