Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02/08/2024, 06:06
Static task
static1
Behavioral task
behavioral1
Sample
834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Resource
win10v2004-20240730-en
General
-
Target
834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
-
Size
156KB
-
MD5
834e4fb336d864affdd5a03d7a930905
-
SHA1
4a09c7569aa4a3fcc5a862b2a1b795047d8cf7f9
-
SHA256
312efa97a99740c006036a7771bc29ded76709e61f285cfee5c2f1caf52da694
-
SHA512
1541fbc193a6765f020c99eb983c03f93258394055a688bbb6b372135bdccb809843169205e38ede2f0b36ebd5ce9aba3b8ee98d155f3ef17f14ff39d2c7e166
-
SSDEEP
3072:Y6AOL9lqh+NzQ7Ql5YLrPcb+T9loA9wHzWO9Hmlk1njaT:Y6AuVNAQrWcUoA9wT7kkV
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2604 iexplore.exe 2252 iexplore.exe -
Loads dropped DLL 2 IoCs
pid Process 2524 cmd.exe 2524 cmd.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Internet Explorer Resources = "C:\\Users\\Admin\\AppData\\Roaming\\iexplore.œ" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Explorer Resources = "C:\\Users\\Admin\\AppData\\Roaming\\iexplore.\x18" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Internet Explorer Resources = "C:\\Users\\Admin\\AppData\\Roaming\\{admin}\\iexplore.exe" iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Internet Explorer Resources = "C:\\Users\\Admin\\AppData\\Roaming\\iexplore.\u00a0" 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Explorer Resources = "C:\\Users\\Admin\\AppData\\Roaming\\iexplore.˜" 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Internet Explorer Resources = "C:\\Users\\Admin\\AppData\\Roaming\\{admin}\\iexplore.exe" 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2672 set thread context of 2764 2672 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe 31 PID 2604 set thread context of 2252 2604 iexplore.exe 37 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 2764 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2764 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe Token: 33 2252 iexplore.exe Token: SeIncBasePriorityPrivilege 2252 iexplore.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2672 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe 2604 iexplore.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2764 2672 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe 31 PID 2672 wrote to memory of 2764 2672 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe 31 PID 2672 wrote to memory of 2764 2672 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe 31 PID 2672 wrote to memory of 2764 2672 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe 31 PID 2672 wrote to memory of 2764 2672 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe 31 PID 2672 wrote to memory of 2764 2672 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe 31 PID 2672 wrote to memory of 2764 2672 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe 31 PID 2672 wrote to memory of 2764 2672 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe 31 PID 2672 wrote to memory of 2764 2672 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe 31 PID 2764 wrote to memory of 2820 2764 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe 32 PID 2764 wrote to memory of 2820 2764 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe 32 PID 2764 wrote to memory of 2820 2764 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe 32 PID 2764 wrote to memory of 2820 2764 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe 32 PID 2764 wrote to memory of 2524 2764 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe 34 PID 2764 wrote to memory of 2524 2764 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe 34 PID 2764 wrote to memory of 2524 2764 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe 34 PID 2764 wrote to memory of 2524 2764 834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe 34 PID 2524 wrote to memory of 2604 2524 cmd.exe 36 PID 2524 wrote to memory of 2604 2524 cmd.exe 36 PID 2524 wrote to memory of 2604 2524 cmd.exe 36 PID 2524 wrote to memory of 2604 2524 cmd.exe 36 PID 2604 wrote to memory of 2252 2604 iexplore.exe 37 PID 2604 wrote to memory of 2252 2604 iexplore.exe 37 PID 2604 wrote to memory of 2252 2604 iexplore.exe 37 PID 2604 wrote to memory of 2252 2604 iexplore.exe 37 PID 2604 wrote to memory of 2252 2604 iexplore.exe 37 PID 2604 wrote to memory of 2252 2604 iexplore.exe 37 PID 2604 wrote to memory of 2252 2604 iexplore.exe 37 PID 2604 wrote to memory of 2252 2604 iexplore.exe 37 PID 2604 wrote to memory of 2252 2604 iexplore.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\cmd.execmd /c C:\JBORE.bat3⤵
- System Location Discovery: System Language Discovery
PID:2820
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\RMBEG.bat3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Roaming\{admin}\iexplore.exe"C:\Users\Admin\AppData\Roaming\{admin}\iexplore.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Roaming\{admin}\iexplore.exeC:\Users\Admin\AppData\Roaming\{admin}\iexplore.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD5c33f56c62e07c5b69fb4a1f181a3bec4
SHA1e736a92c32f330a35f5efdf4fe938f9b10f3fe68
SHA256008c1aaf5af78b882282f256f276883aa9a152b9c71ab990fb79ff7d0368e93d
SHA5127c32f47f06cdc5248261830dca62adb5be5a0bfa5724eee294702b439b69507fd33ee8dc50ef97994bb9571a51ddde32e1ce1b70a4b69a89f26b1ff02075ff0a
-
Filesize
53B
MD5717473935c780a6d872923e441179ad0
SHA1e52edaa1fb65498fd7f9cfab709e89bf4e6e9d91
SHA256ae6d39e6b875d9ad0e3726f0e76dcc1694987a10630b42641998929e8361a116
SHA512553a250edf1458e298c319db622c26a49cdab873b92dcd44970f86e407b38c44478cb870683c7fad7e863d29c30a483d47c0e5ac486bb11c03ba76ce16c3dd40
-
Filesize
156KB
MD5834e4fb336d864affdd5a03d7a930905
SHA14a09c7569aa4a3fcc5a862b2a1b795047d8cf7f9
SHA256312efa97a99740c006036a7771bc29ded76709e61f285cfee5c2f1caf52da694
SHA5121541fbc193a6765f020c99eb983c03f93258394055a688bbb6b372135bdccb809843169205e38ede2f0b36ebd5ce9aba3b8ee98d155f3ef17f14ff39d2c7e166