Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11/08/2024, 02:42
Behavioral task
behavioral1
Sample
88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe
-
Size
129KB
-
MD5
88accf704d087c46bd15f075b51410d1
-
SHA1
db6882ab87e046f6203485654dd2205e5ce3b96f
-
SHA256
2774f97f982e1aba08267c3e133f3e24bc2ca5af495a8a86596e19639a9e8567
-
SHA512
9f27e6fe13d2b82aae9510a0bfbbebc7f10545ab68daf75cb84e6214f5e88d2038622c26e15a039415bd3da750456c67b3f40c43c95960c192dfb41b96965ae7
-
SSDEEP
3072:svMe+I0OEWZmvEG0ndXBM7SQ/mb6M178uyo:sUeNqMdD1oux
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2224 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2580 exurd.exe -
Loads dropped DLL 2 IoCs
pid Process 2676 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe 2676 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2676-0-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0008000000014aae-6.dat upx behavioral1/memory/2676-7-0x00000000003C0000-0x00000000003F6000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\{11FFD43B-0D70-877B-3F71-6FA4B2358AF6} = "C:\\Users\\Admin\\AppData\\Roaming\\Ceuvx\\exurd.exe" exurd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2676 set thread context of 2224 2676 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language exurd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe 2580 exurd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSecurityPrivilege 2676 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe Token: SeSecurityPrivilege 2676 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe Token: SeSecurityPrivilege 2676 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2676 wrote to memory of 2580 2676 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe 28 PID 2676 wrote to memory of 2580 2676 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe 28 PID 2676 wrote to memory of 2580 2676 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe 28 PID 2676 wrote to memory of 2580 2676 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe 28 PID 2580 wrote to memory of 1116 2580 exurd.exe 19 PID 2580 wrote to memory of 1116 2580 exurd.exe 19 PID 2580 wrote to memory of 1116 2580 exurd.exe 19 PID 2580 wrote to memory of 1116 2580 exurd.exe 19 PID 2580 wrote to memory of 1116 2580 exurd.exe 19 PID 2580 wrote to memory of 1176 2580 exurd.exe 20 PID 2580 wrote to memory of 1176 2580 exurd.exe 20 PID 2580 wrote to memory of 1176 2580 exurd.exe 20 PID 2580 wrote to memory of 1176 2580 exurd.exe 20 PID 2580 wrote to memory of 1176 2580 exurd.exe 20 PID 2580 wrote to memory of 1212 2580 exurd.exe 21 PID 2580 wrote to memory of 1212 2580 exurd.exe 21 PID 2580 wrote to memory of 1212 2580 exurd.exe 21 PID 2580 wrote to memory of 1212 2580 exurd.exe 21 PID 2580 wrote to memory of 1212 2580 exurd.exe 21 PID 2580 wrote to memory of 1704 2580 exurd.exe 23 PID 2580 wrote to memory of 1704 2580 exurd.exe 23 PID 2580 wrote to memory of 1704 2580 exurd.exe 23 PID 2580 wrote to memory of 1704 2580 exurd.exe 23 PID 2580 wrote to memory of 1704 2580 exurd.exe 23 PID 2580 wrote to memory of 2676 2580 exurd.exe 27 PID 2580 wrote to memory of 2676 2580 exurd.exe 27 PID 2580 wrote to memory of 2676 2580 exurd.exe 27 PID 2580 wrote to memory of 2676 2580 exurd.exe 27 PID 2580 wrote to memory of 2676 2580 exurd.exe 27 PID 2676 wrote to memory of 2224 2676 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe 29 PID 2676 wrote to memory of 2224 2676 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe 29 PID 2676 wrote to memory of 2224 2676 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe 29 PID 2676 wrote to memory of 2224 2676 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe 29 PID 2676 wrote to memory of 2224 2676 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe 29 PID 2676 wrote to memory of 2224 2676 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe 29 PID 2676 wrote to memory of 2224 2676 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe 29 PID 2676 wrote to memory of 2224 2676 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe 29 PID 2676 wrote to memory of 2224 2676 88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe 29 PID 2580 wrote to memory of 2772 2580 exurd.exe 31 PID 2580 wrote to memory of 2772 2580 exurd.exe 31 PID 2580 wrote to memory of 2772 2580 exurd.exe 31 PID 2580 wrote to memory of 2772 2580 exurd.exe 31 PID 2580 wrote to memory of 2772 2580 exurd.exe 31 PID 2580 wrote to memory of 1520 2580 exurd.exe 32 PID 2580 wrote to memory of 1520 2580 exurd.exe 32 PID 2580 wrote to memory of 1520 2580 exurd.exe 32 PID 2580 wrote to memory of 1520 2580 exurd.exe 32 PID 2580 wrote to memory of 1520 2580 exurd.exe 32
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\88accf704d087c46bd15f075b51410d1_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Roaming\Ceuvx\exurd.exe"C:\Users\Admin\AppData\Roaming\Ceuvx\exurd.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5f99fc44.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2224
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1704
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2772
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD52a2ac4f9510f5f9797d3390743fc5cc2
SHA1cc5312acd3a6ff541acf140eef29c0b1cd2a8deb
SHA25679fa35ce9c48ba6307a2148510bd36eb9d86ac0325f94f838d22a68ef7d50b9a
SHA51238b1a9e9f9508accbbab8c466b7173ffb63ff22e80104e27cd21b27fec1660fa69733dde1ab5897ddbdb65d02f1b6ca595ba7a8a71788bf2f46da1e376ca9518
-
Filesize
380B
MD50578bbb55f766bef83ef3aa5f55cbc4c
SHA1dd1489c9552b08e151d38e993e50d711f0a7332d
SHA256658c9d87d784eb0c8b5bbd3b4eb4fa79533969123070d0c494a10991a0b43c79
SHA51214109e93a9b4e928cc628d6b6f474aa6eab120c796634e6d9ae3599ebb01379a1cdbd4a365df2ed57ef0fdd47a73e27f9a993fa0a298ed390344fbad678f0b6f
-
Filesize
129KB
MD59c68ed57276e0cf425b5e6e3b4f7f528
SHA1e0cb03f0f0b7f6c1d1cff792abc7caa35c87cc1f
SHA256a670f4b41b5bde26e63eac0396171770fd685bf387443e7106504af087c0c0bc
SHA512d12de95d4c23364c4ffd785d5ac3198d8a2acc5c89c9fe0ae0f26417c863cc60b15c36b12851faf3cf760aa493efee2d79106eccd1c9292ecfe412353cac2ead