Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01/08/2024, 23:33
Static task
static1
Behavioral task
behavioral1
Sample
822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe
Resource
win10v2004-20240730-en
General
-
Target
822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe
-
Size
274KB
-
MD5
822bd98c92c935788e5494b030f463c1
-
SHA1
eb75dc52ca7399dc8e3bc0aefc816866ea3aa21f
-
SHA256
2db88ba99300bf2ac2cb84ee128c30f35b12aa45f8695e01cb17c26d79f3859e
-
SHA512
956d64846cbcfd96d6883ef04e9e52299a493938a3982bcad22a21c8da18207c46b97d206328e46c6ee0fad040eed8e881d7dda70cf5a40c3685a0d4cb998a02
-
SSDEEP
6144:ocfAOkuD6XenRzYOINC/vVYBnCiiXet9bdhVKeGA5LbW3Evn:ocWUnRgNgiBviXeXbdhV75LCUvn
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1436 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2280 ebviiq.exe -
Loads dropped DLL 2 IoCs
pid Process 2940 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe 2940 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\{36F482E8-6FE9-AD4F-5F98-37194FCB1404} = "C:\\Users\\Admin\\AppData\\Roaming\\Wyre\\ebviiq.exe" ebviiq.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2940 set thread context of 1436 2940 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe 2280 ebviiq.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2940 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe 2280 ebviiq.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2940 wrote to memory of 2280 2940 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe 31 PID 2940 wrote to memory of 2280 2940 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe 31 PID 2940 wrote to memory of 2280 2940 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe 31 PID 2940 wrote to memory of 2280 2940 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe 31 PID 2280 wrote to memory of 1044 2280 ebviiq.exe 17 PID 2280 wrote to memory of 1044 2280 ebviiq.exe 17 PID 2280 wrote to memory of 1044 2280 ebviiq.exe 17 PID 2280 wrote to memory of 1044 2280 ebviiq.exe 17 PID 2280 wrote to memory of 1044 2280 ebviiq.exe 17 PID 2280 wrote to memory of 1072 2280 ebviiq.exe 18 PID 2280 wrote to memory of 1072 2280 ebviiq.exe 18 PID 2280 wrote to memory of 1072 2280 ebviiq.exe 18 PID 2280 wrote to memory of 1072 2280 ebviiq.exe 18 PID 2280 wrote to memory of 1072 2280 ebviiq.exe 18 PID 2280 wrote to memory of 1112 2280 ebviiq.exe 20 PID 2280 wrote to memory of 1112 2280 ebviiq.exe 20 PID 2280 wrote to memory of 1112 2280 ebviiq.exe 20 PID 2280 wrote to memory of 1112 2280 ebviiq.exe 20 PID 2280 wrote to memory of 1112 2280 ebviiq.exe 20 PID 2280 wrote to memory of 1864 2280 ebviiq.exe 25 PID 2280 wrote to memory of 1864 2280 ebviiq.exe 25 PID 2280 wrote to memory of 1864 2280 ebviiq.exe 25 PID 2280 wrote to memory of 1864 2280 ebviiq.exe 25 PID 2280 wrote to memory of 1864 2280 ebviiq.exe 25 PID 2280 wrote to memory of 2940 2280 ebviiq.exe 30 PID 2280 wrote to memory of 2940 2280 ebviiq.exe 30 PID 2280 wrote to memory of 2940 2280 ebviiq.exe 30 PID 2280 wrote to memory of 2940 2280 ebviiq.exe 30 PID 2280 wrote to memory of 2940 2280 ebviiq.exe 30 PID 2940 wrote to memory of 1436 2940 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe 32 PID 2940 wrote to memory of 1436 2940 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe 32 PID 2940 wrote to memory of 1436 2940 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe 32 PID 2940 wrote to memory of 1436 2940 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe 32 PID 2940 wrote to memory of 1436 2940 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe 32 PID 2940 wrote to memory of 1436 2940 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe 32 PID 2940 wrote to memory of 1436 2940 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe 32 PID 2940 wrote to memory of 1436 2940 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe 32 PID 2940 wrote to memory of 1436 2940 822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe 32
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1044
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Roaming\Wyre\ebviiq.exe"C:\Users\Admin\AppData\Roaming\Wyre\ebviiq.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2280
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd96a6648.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1436
-
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD52dfae7351b4794995ac939c114b1d782
SHA120a8eca3b6aa3398c0d98493592e970ff204ff48
SHA25621146e12e23e1c18cfc71f1420fb5310eb713a2eef1f4d7aeac50567fda34efd
SHA512cc89000317e95d0ab73ff29c43a42df23fa01a05ab75a72c46d60558d8336551d1b37df3a30496d7772ab338e41ca824b17bb1fb79a50ea1f4742e3e76f21afc
-
Filesize
274KB
MD50801c5ced079fd0875c04504d94633a9
SHA16e667e2f88e8c0b0601f9b07ba24e69425576f48
SHA256d97ebecc096152fe53db2ddcf00aa427b6e9097541b46eb29f18a0947ad501fa
SHA51287f2d84812ee7e9eb3ed265c529497a701740c2a168307ac93cbd70b79c4b5b12cb02be9de3453099a57e7d9284e7b599d7da056e07b58ab2ea284ccaf7476d9