Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
02/08/2024, 06:33
Static task
static1
Behavioral task
behavioral1
Sample
835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe
Resource
win10v2004-20240730-en
General
-
Target
835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe
-
Size
294KB
-
MD5
835fdef0d790de30bd378772b3df274f
-
SHA1
26c6739a4383fd3c63e9ec824983abce5ee69240
-
SHA256
9b88b7a099f6baf08736671da110c0f8818f49b76084d047dde6842719205d1f
-
SHA512
e7a53b2c4072bc9c4ee5bb861d9895f0df0245f1a13fb886359b37f70a18c909ec59e1b4cbfc92cd95cce870b74c0ec17be15eab1e095d223cad45bf5f67a676
-
SSDEEP
6144:ogOMMB7FAFJh6ydWE5h9wGajkc9Yw++MXZBB8alTRTLsdJ:o8q7FAsyD5kGa7DMJBBj3XsdJ
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3008 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1528 afef.exe -
Loads dropped DLL 2 IoCs
pid Process 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{75DA6328-6F30-AD4F-96DD-2BAD86C808B0} = "C:\\Users\\Admin\\AppData\\Roaming\\Awanky\\afef.exe" afef.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2476 set thread context of 3008 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language afef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe 1528 afef.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSecurityPrivilege 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe Token: SeSecurityPrivilege 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe Token: SeSecurityPrivilege 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe 1528 afef.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2476 wrote to memory of 1528 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe 29 PID 2476 wrote to memory of 1528 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe 29 PID 2476 wrote to memory of 1528 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe 29 PID 2476 wrote to memory of 1528 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe 29 PID 1528 wrote to memory of 1120 1528 afef.exe 18 PID 1528 wrote to memory of 1120 1528 afef.exe 18 PID 1528 wrote to memory of 1120 1528 afef.exe 18 PID 1528 wrote to memory of 1120 1528 afef.exe 18 PID 1528 wrote to memory of 1120 1528 afef.exe 18 PID 1528 wrote to memory of 1188 1528 afef.exe 19 PID 1528 wrote to memory of 1188 1528 afef.exe 19 PID 1528 wrote to memory of 1188 1528 afef.exe 19 PID 1528 wrote to memory of 1188 1528 afef.exe 19 PID 1528 wrote to memory of 1188 1528 afef.exe 19 PID 1528 wrote to memory of 1252 1528 afef.exe 20 PID 1528 wrote to memory of 1252 1528 afef.exe 20 PID 1528 wrote to memory of 1252 1528 afef.exe 20 PID 1528 wrote to memory of 1252 1528 afef.exe 20 PID 1528 wrote to memory of 1252 1528 afef.exe 20 PID 1528 wrote to memory of 1464 1528 afef.exe 22 PID 1528 wrote to memory of 1464 1528 afef.exe 22 PID 1528 wrote to memory of 1464 1528 afef.exe 22 PID 1528 wrote to memory of 1464 1528 afef.exe 22 PID 1528 wrote to memory of 1464 1528 afef.exe 22 PID 1528 wrote to memory of 2476 1528 afef.exe 28 PID 1528 wrote to memory of 2476 1528 afef.exe 28 PID 1528 wrote to memory of 2476 1528 afef.exe 28 PID 1528 wrote to memory of 2476 1528 afef.exe 28 PID 1528 wrote to memory of 2476 1528 afef.exe 28 PID 2476 wrote to memory of 3008 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe 30 PID 2476 wrote to memory of 3008 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe 30 PID 2476 wrote to memory of 3008 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe 30 PID 2476 wrote to memory of 3008 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe 30 PID 2476 wrote to memory of 3008 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe 30 PID 2476 wrote to memory of 3008 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe 30 PID 2476 wrote to memory of 3008 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe 30 PID 2476 wrote to memory of 3008 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe 30 PID 2476 wrote to memory of 3008 2476 835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe 30
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1188
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Roaming\Awanky\afef.exe"C:\Users\Admin\AppData\Roaming\Awanky\afef.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1528
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbbcceea7.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3008
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD570d65de5bf1db6f7f1d85acbf293e320
SHA18bc3a62fd6dfb79df94ec50e37f3a8aed9d4b4ff
SHA2568e55a04586375f8db3557d62a24bdea70a03768211de50f96dedafe7076553c5
SHA5126a9183373de82d8a4735da28e0803f7a3b5cb805968f483b77fff546e3168b9b4590e715feebc702fd7780441ca762028f1e65f254e25c20b2fa81d9b8e8edac
-
Filesize
380B
MD538cb02ed45fa2c8ab86decd89ed1dc65
SHA13c80a50fbbff6471a55cc32fe261178941dd6493
SHA25605bc0239717ef717d5a0d256eae67198054ab6a140f6de976389c5955a4ae32f
SHA512850fb92f2fb8e70223347a29600f90313f2a88a7571b520ff674ba977f4dd3e83d04f16a62657844d6ef2c24594e2fde2749b0b5fbc96405f99922dedc1519bc
-
Filesize
294KB
MD5c694fe61e616e50ee057e89018308af6
SHA1513d9f2aa302c035a36783f118182624c57b5f27
SHA2568b3b15b8200710715be47b523277c5abed717312fe541d480014f7d0749921b5
SHA51216847c4051bf18294289220e51ee8a63b54c6f698e9908631981f6d19f949c0cf9fe9460d70e1bec020de15a3af2b996b2bb78cd0ba41413bc9b7d629f90462a