Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10/08/2024, 12:17
Behavioral task
behavioral1
Sample
8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe
-
Size
48KB
-
MD5
8605a1a556926842a95ab84eda97af74
-
SHA1
670b9eeac6080b26541ede974941fc7032e13c6d
-
SHA256
b396e362c1d32d61fb654c2766025fcb8a86bc26776ad1f478ffb43a4bfc8878
-
SHA512
50b9f2fd804465bcc149174d45c81bdede5a2f7cf98b99cda88b6f1110710acb8a21a01f5f1d7c6e7c4db4e4679a9a2afef6dd2ad52538eee246de49a47f11fb
-
SSDEEP
768:jVhHmMth6A4Uq6y+KkIP8c5+L/xa7JABVS06lyuoNDCktKXjlyoqpkXf:jzHmMthuUq9+Kk48C+QJAuoNgXjlyo6k
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2316 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1884 bill102.exe -
resource yara_rule behavioral1/memory/2940-0-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/files/0x00080000000120ff-15.dat upx behavioral1/memory/2940-18-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2940-8-0x0000000000290000-0x00000000002B2000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sysfbtray = "c:\\windows\\bill102.exe" bill102.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bill102.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification \??\c:\windows\bill102.exe 8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe File created \??\c:\windows\bill102.exe 8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe File created C:\Windows\dxxdv34567.bat 8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1036 1884 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bill102.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main bill102.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\tp = "1000" bill102.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2940 wrote to memory of 1884 2940 8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe 31 PID 2940 wrote to memory of 1884 2940 8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe 31 PID 2940 wrote to memory of 1884 2940 8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe 31 PID 2940 wrote to memory of 1884 2940 8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe 31 PID 2940 wrote to memory of 2316 2940 8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe 32 PID 2940 wrote to memory of 2316 2940 8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe 32 PID 2940 wrote to memory of 2316 2940 8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe 32 PID 2940 wrote to memory of 2316 2940 8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe 32 PID 1884 wrote to memory of 1036 1884 bill102.exe 34 PID 1884 wrote to memory of 1036 1884 bill102.exe 34 PID 1884 wrote to memory of 1036 1884 bill102.exe 34 PID 1884 wrote to memory of 1036 1884 bill102.exe 34 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2940 -
\??\c:\windows\bill102.exec:\windows\bill102.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 6123⤵
- Program crash
PID:1036
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\dxxdv34567.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2316
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD58605a1a556926842a95ab84eda97af74
SHA1670b9eeac6080b26541ede974941fc7032e13c6d
SHA256b396e362c1d32d61fb654c2766025fcb8a86bc26776ad1f478ffb43a4bfc8878
SHA51250b9f2fd804465bcc149174d45c81bdede5a2f7cf98b99cda88b6f1110710acb8a21a01f5f1d7c6e7c4db4e4679a9a2afef6dd2ad52538eee246de49a47f11fb
-
Filesize
277B
MD52b998e585185c414d80ff44353e5dcd9
SHA17fd5b5a1f84ed00f57644eb87d36076a9721b915
SHA2568a02487d5946c099a34403044253ae5dbebf69313ed33b68bb4e4fb62a7d59e4
SHA51201b75b85753d3a795f7b0485ee009f783093b2c0738030c2bfbe5215fe4934d95d02522cc6329ce64e53255c87e7ffb7308a52425184fd55d181577a8700efba