Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
27/07/2024, 01:31
General
-
Target
768f867471ca6a6e234b182175edc733_JaffaCakes118.exe
-
Size
140KB
-
MD5
768f867471ca6a6e234b182175edc733
-
SHA1
07c5b7ef3e1606d15115890b5d07803f5d81e11b
-
SHA256
f3dbc037a91be139f33f7cd49d37e546cb58b7debf315fd3dee431b42daf73b4
-
SHA512
9f00fdc7d8a93e496c05a462fd241ebbabfb46d737bd188b2ce4eafb1009c20f02a4a256f9d32e54793e4c7d95d836ead5d23afecbf42d9aa13f38f0320ae6a6
-
SSDEEP
1536:O/+1z/tt6HurQ1I8Nzuek6IrqbOHQ9ocjjjb64Sh0NlL6C753u4vj7cmaMQyHXTN:OG1OHutQu0P6c7L75+4vXaM98qKnIfq
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Modifies firewall policy service 3 TTPs 5 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 5 IoCs
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\768f867471ca6a6e234b182175edc733_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\768f867471ca6a6e234b182175edc733_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\768f867471ca6a6e234b182175edc733_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\768f867471ca6a6e234b182175edc733_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram 1.exe 1 ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
\??\c:\windows\csrss.exe"c:\windows\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\csrss.exe"c:\windows\csrss.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram 1.exe 1 ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\net.exenet stop wuauserv5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop MsMpSvc5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsMpSvc6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config MsMpSvc start= disabled5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe http://browseusers.myspace.com/Browse/Browse.aspx3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://browseusers.myspace.com/Browse/Browse.aspx2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcef5946f8,0x7ffcef594708,0x7ffcef5947183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4776 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59622e603d436ca747f3a4407a6ca952e
SHA1297d9aed5337a8a7290ea436b61458c372b1d497
SHA256ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261
SHA512f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a
-
Filesize
152B
MD504b60a51907d399f3685e03094b603cb
SHA1228d18888782f4e66ca207c1a073560e0a4cc6e7
SHA25687a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3
SHA5122a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91
-
Filesize
240B
MD5a4158a1ae60483f032e407c5591ee2dc
SHA18a287dc6d0e1a8c0204199bc00ec6eb23730b84a
SHA256bdbe351ad8e0750391f1a7f03132ba673e9f83ff56ef65aed60237cd0b63f82d
SHA5122de92e800013bea8d604589762e786873d4aa1e3e8b48d4004069bed26cdd5ff94b93a10999413a01b1b112d1ca17093a44172cdf38ecbff30e21860d002b4c4
-
Filesize
1KB
MD521ba3ad189d726f30608e85fc35b1696
SHA1a22e63f82f067b38cadaf5b8aab446b6b3eee0ab
SHA25619944ebf08bed046e6d905508fe5b3a393e1c894a40c81290f54fb3c51f63b88
SHA512f2d43d1c9551f86f60a89cc47306d44b8663302fea2c33a01a23e76c3c60dc7725939149ba375141c1ff7aba9b9d0840b03dfc983b8341e79eee282f1c11f2a5
-
Filesize
5KB
MD569300124b23cb8854bb19f24e9cc4343
SHA1d7580ab5aa3060291a612fbe914beb82eb6c5d35
SHA25663b602213a8114e10cf9f0f25b2a1ea6c8249468a99492997a05cafeadb43bdb
SHA512cff7aee2bdb895a9afeff62fa4fc099a9389daae5336fbcf4e86ba11783a65780e47e7235133e1ece729df86f24f27af676f4bfef6f8e6f0f4955c8fae5ba368
-
Filesize
7KB
MD54a4a3b522782181446636fd3cca69faf
SHA1258b93979cba2ffc538a91604b7efab8f1e54752
SHA25665ccedfc9a7a8302e31f19c186fc554a1d4b74aab8ee78f0e3187ce24b462dcd
SHA5128407c6211aef5e3ce6361f360518560cf7030c6d371f255168527c26804c5c20c44d140a1d7c2b65fd782c369919152a4bf0d99ecec8f11afc945f9da63760e4
-
Filesize
7KB
MD5bff14467976491741fa455aeccfc3e60
SHA1c3e2cd3f7fe1795578cec8f8b2b7520748fc0450
SHA2567913aaf7ac9dd957952c84c1398dbaa7be9c076ec57fa87908ccd1d7cdbad26e
SHA5120f936de2188f6df95b6dda062418dce69eb0a0a7a5057cfa57d1833dd6a3ebc8a884a845f9139f7b2e090d2c7936f78092f293ddb449b7c68cd586c8303abb4e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5ae796df9c9141ccfd02c2f4522be963b
SHA10194e5abaaa16006d3095d61f2edb43641f78e56
SHA256e0cfee9a30b03e6fa7b50e663bdb0afcc07e3f8156fe1068139ca5ea2ca10129
SHA5124482ae693d6c00544ace6f32e40cbaad79cbe1c196e719819fd6df0611011de02fa2775a7c93ea884de374412a64d859638091d1c26666fc8c988bdd353fefe9
-
Filesize
140KB
MD5768f867471ca6a6e234b182175edc733
SHA107c5b7ef3e1606d15115890b5d07803f5d81e11b
SHA256f3dbc037a91be139f33f7cd49d37e546cb58b7debf315fd3dee431b42daf73b4
SHA5129f00fdc7d8a93e496c05a462fd241ebbabfb46d737bd188b2ce4eafb1009c20f02a4a256f9d32e54793e4c7d95d836ead5d23afecbf42d9aa13f38f0320ae6a6
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB