Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10/08/2024, 16:01
Static task
static1
Behavioral task
behavioral1
Sample
86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe
-
Size
140KB
-
MD5
86b7f328217fe15567345321e31f7c5a
-
SHA1
6f69c40d3918b2e5fc646953bd1e1322acd3f7ee
-
SHA256
98e4678511d215a6243d6012d9f71ae78d5afcb0f5cc93cf4e3aa403ef716443
-
SHA512
9986c5a9e88bef527a41a860a8763e71e4468ed9951a37557dee4172db95caec8a892439fb2110f54360ff3102b3b1645d75d7004c744376bc6612082f54b994
-
SSDEEP
3072:xlJjsSFgXhVq+98ky3bgeMzDlGoTz/xDQJ0oN8:tjsSKXhVq+6k48eMzZXxDQJ0o
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1192 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2240 bauhi.exe -
Loads dropped DLL 2 IoCs
pid Process 2388 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe 2388 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\{173962AA-4FF9-C008-91E1-8ED8C7E0F42F} = "C:\\Users\\Admin\\AppData\\Roaming\\Axdu\\bauhi.exe" bauhi.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2388 set thread context of 1192 2388 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe 45 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bauhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Privacy 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\7A132A53-00000001.eml:OECustomProperty WinMail.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe 2240 bauhi.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeSecurityPrivilege 2388 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe Token: SeSecurityPrivilege 2388 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe Token: SeSecurityPrivilege 2388 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe Token: SeManageVolumePrivilege 2076 WinMail.exe Token: SeSecurityPrivilege 1192 cmd.exe Token: SeManageVolumePrivilege 2948 WinMail.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2076 WinMail.exe 2948 WinMail.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2076 WinMail.exe 2948 WinMail.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2076 WinMail.exe 2948 WinMail.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2388 wrote to memory of 2016 2388 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe 30 PID 2388 wrote to memory of 2016 2388 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe 30 PID 2388 wrote to memory of 2016 2388 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe 30 PID 2388 wrote to memory of 2016 2388 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe 30 PID 2016 wrote to memory of 3064 2016 net.exe 32 PID 2016 wrote to memory of 3064 2016 net.exe 32 PID 2016 wrote to memory of 3064 2016 net.exe 32 PID 2016 wrote to memory of 3064 2016 net.exe 32 PID 2388 wrote to memory of 1216 2388 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe 33 PID 2388 wrote to memory of 1216 2388 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe 33 PID 2388 wrote to memory of 1216 2388 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe 33 PID 2388 wrote to memory of 1216 2388 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe 33 PID 1216 wrote to memory of 1244 1216 net.exe 35 PID 1216 wrote to memory of 1244 1216 net.exe 35 PID 1216 wrote to memory of 1244 1216 net.exe 35 PID 1216 wrote to memory of 1244 1216 net.exe 35 PID 2388 wrote to memory of 2240 2388 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe 36 PID 2388 wrote to memory of 2240 2388 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe 36 PID 2388 wrote to memory of 2240 2388 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe 36 PID 2388 wrote to memory of 2240 2388 86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe 36 PID 2240 wrote to memory of 2784 2240 bauhi.exe 37 PID 2240 wrote to memory of 2784 2240 bauhi.exe 37 PID 2240 wrote to memory of 2784 2240 bauhi.exe 37 PID 2240 wrote to memory of 2784 2240 bauhi.exe 37 PID 2784 wrote to memory of 2844 2784 net.exe 39 PID 2784 wrote to memory of 2844 2784 net.exe 39 PID 2784 wrote to memory of 2844 2784 net.exe 39 PID 2784 wrote to memory of 2844 2784 net.exe 39 PID 2240 wrote to memory of 3016 2240 bauhi.exe 40 PID 2240 wrote to memory of 3016 2240 bauhi.exe 40 PID 2240 wrote to memory of 3016 2240 bauhi.exe 40 PID 2240 wrote to memory of 3016 2240 bauhi.exe 40 PID 2240 wrote to memory of 1064 2240 bauhi.exe 18 PID 2240 wrote to memory of 1064 2240 bauhi.exe 18 PID 2240 wrote to memory of 1064 2240 bauhi.exe 18 PID 2240 wrote to memory of 1064 2240 bauhi.exe 18 PID 2240 wrote to memory of 1064 2240 bauhi.exe 18 PID 2240 wrote to memory of 1132 2240 bauhi.exe 19 PID 2240 wrote to memory of 1132 2240 bauhi.exe 19 PID 2240 wrote to memory of 1132 2240 bauhi.exe 19 PID 2240 wrote to memory of 1132 2240 bauhi.exe 19 PID 2240 wrote to memory of 1132 2240 bauhi.exe 19 PID 2240 wrote to memory of 1200 2240 bauhi.exe 21 PID 2240 wrote to memory of 1200 2240 bauhi.exe 21 PID 2240 wrote to memory of 1200 2240 bauhi.exe 21 PID 2240 wrote to memory of 1200 2240 bauhi.exe 21 PID 2240 wrote to memory of 1200 2240 bauhi.exe 21 PID 2240 wrote to memory of 1232 2240 bauhi.exe 25 PID 2240 wrote to memory of 1232 2240 bauhi.exe 25 PID 2240 wrote to memory of 1232 2240 bauhi.exe 25 PID 2240 wrote to memory of 1232 2240 bauhi.exe 25 PID 2240 wrote to memory of 1232 2240 bauhi.exe 25 PID 2240 wrote to memory of 2388 2240 bauhi.exe 29 PID 2240 wrote to memory of 2388 2240 bauhi.exe 29 PID 2240 wrote to memory of 2388 2240 bauhi.exe 29 PID 2240 wrote to memory of 2388 2240 bauhi.exe 29 PID 2240 wrote to memory of 2388 2240 bauhi.exe 29 PID 3016 wrote to memory of 804 3016 net.exe 42 PID 3016 wrote to memory of 804 3016 net.exe 42 PID 3016 wrote to memory of 804 3016 net.exe 42 PID 3016 wrote to memory of 804 3016 net.exe 42 PID 2240 wrote to memory of 2076 2240 bauhi.exe 43 PID 2240 wrote to memory of 2076 2240 bauhi.exe 43 PID 2240 wrote to memory of 2076 2240 bauhi.exe 43
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1064
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1132
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\net.exenet stop wscsvc3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc4⤵
- System Location Discovery: System Language Discovery
PID:3064
-
-
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
PID:1244
-
-
-
C:\Users\Admin\AppData\Roaming\Axdu\bauhi.exe"C:\Users\Admin\AppData\Roaming\Axdu\bauhi.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\net.exenet stop wscsvc4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc5⤵
- System Location Discovery: System Language Discovery
PID:2844
-
-
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess5⤵
- System Location Discovery: System Language Discovery
PID:804
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpf34281a1.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1232
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2076
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2948
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
558B
MD53cc0012f96f8f44164c18d7de05023d9
SHA1c8feb560d751fe720c8bdb53f5e78aa92abb9a9e
SHA2562654c273c211ae1afc60a7736153a853142e3db028417206948576d1d57bf5d5
SHA512626746176663e2460b18f1eb245306107060c172c4e65ad710dd75ec0b348d8f000342c0dd2f7ea3bb2e0796f61e1ddd2cd77c312d6a177ff2e70a10b68cc6af
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
Filesize232B
MD5f46c86d5099d8716a38f2ed8e6c181cc
SHA1baf6f6771fa49b1e8ef027e70b66b58671eccc22
SHA256881b05e8d3657677da1b30eece1d77ec4541685d5d5c835ec84cded37dfaa6a6
SHA512b2f0d1e0ddb093b105bbc8c21420bdae0062392f8886a3b2e79526feb2d1c88946896c5d65ebb552bad9e48d1bdb84edb3031c3845cbcb2d038cf93982508fd1
-
Filesize
2.0MB
MD506cda3878e2bdfb17fe5aad2bb5d9201
SHA1acf6bc39df6094b6dcde9518bb687433792dfd1e
SHA256f0e74682f9f44599e336a8d63eec2ad9850564b9f7930ae72cfb12de7350a21a
SHA5123f8cdd720fccd24317a7f9a2a8bd981b5a9c31b85214203e7afda75c343f03faa56ef8996d58b6f6ca34ca992c88e66d4b5b6ec214dcd60ebedbcb00e5f69510
-
Filesize
8KB
MD5cdb599be05b5e230f95fd964adced14b
SHA107956d669be7d8c96d540bf79d42c7ba8179a258
SHA2562528820f020ab8be06a145fe33358c8f4729ee94b2341c6a0d3591831bc60361
SHA5123da353f739a402c6726b3a95b4136e5acb824b5abcc41bb8822edddca7513c347f4b5d41c5c437526180e1aa15cc21638bc2f6246dd4b55a9dcbc2cceb06b584
-
Filesize
2.0MB
MD5d7f59bbdbc7f72cf2b471ad4a8b51e1f
SHA1730d5a82616d1954e7d10cd8a033b554c9deb42b
SHA256ce24323a0b3388fd439d68b9099aa31cdec2cb89fac54e384fb8a36faba5d1e3
SHA512eb8cc36366b6b6a2a826bfac082cc65b7edcd337a3fb12ffc016642a9d8f9e066df9107a0e3d8d54cce6d9333b224755f9df667cf50db07279c38f6594aa90c6
-
Filesize
2.0MB
MD50ee8b12b49f2b8dc2e48259e9343b496
SHA18b8c1ccc8ab942897b0621710b831d36a2f392f8
SHA2567ba81a9c9ef042c13a027c19e650466b866b50cba5ca4ff1329c1985036438f9
SHA512822988acf9f6e64060b8b8b33df7791567788f61b65896332b5705661d78def89fd73965c4f9463abf1f04a82db6811fe7eda3690ae9f8c809e2562f7b382e76
-
Filesize
2.0MB
MD52bf93bb022b33e16d678497010019f7b
SHA1c003eb1c6fc3641f5eaf60df7636a0d400dfef43
SHA256f1bac22a4abbb0b2834c3939569a9a71b1b7daca9ca31f482a24e01e5b934230
SHA51257897a9f789a87f3f2cff18de83272db6ba96471a556d2acf10ac88c8837211e387e140ebfb740e0e38441af4c72797c57a3c6879b38697ed9e1764b07f4d364
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
271B
MD5d9063731a511f290e7d18567d5cc2efd
SHA13410fae29582eab6ac510f77e9f444578e6b65b4
SHA2562eebe521e70c2c27f18c9ac3ab17cb010cfb1d541f293a989e3c3174153334a1
SHA512adb55cbc294ac7eca0420377530bdfcd782d4b927ed81ca6aa4229baf3a7faf803c0a9aa3c658ca14c436401a58e7feffd219c54bc130c294314b2dffb0beab5
-
Filesize
380B
MD5aa7a60dd2d210d9e301e3c939ea49d47
SHA177c5887c4cf2408b81139fafcab3e39bdeca7f4b
SHA2564b20721f15007cafa921eca090b849769bac811fd8a06d8637b5cda31f6087f9
SHA512f3d63eba6c75df9fa46d84773416bdcd77d8ae4cc3eb6c927600c7a4b9575305ebd83ee6cebfd3fb7fa8b0a8b99709a4258813e96a1aff0193f93cd26f331d49
-
Filesize
140KB
MD5b488bfd94c559ad8aa06a709531052af
SHA19d60a2421ef9332ec95266b637a28c0f018d4184
SHA2563f98f4da5a152010dcb4b712f9da186317d9fee9adb2e1756b11cb078f5b13d4
SHA512e46ad0a25024589946a336dbb925b6b943b7879a26aa7daf2d74e892655add80abc11c87ffe0fd775203316a23280495272ebb94cdb66f64defed5b2a758e2ec