Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12/08/2024, 11:36
Static task
static1
Behavioral task
behavioral1
Sample
8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe
-
Size
150KB
-
MD5
8e96094284d9464b977e9f80c3b6387a
-
SHA1
d005a3b86092d35d257cc80a7ac402afa75a0c1b
-
SHA256
48b03c89100dea7f889e7f207ecc5c8c2424111a791af993149337d1f45b39c0
-
SHA512
a46728529e1438e204f0782d573675a7c693810b01ddc45889eb0d07f101133e198074d887c215108f0cdc2fc7d9c8ce784559ee90f92b2820a9ad352c781111
-
SSDEEP
3072:vH8J8M96c2Z+GariqjkkxemFT4y4GOUM5KIWUvuQYcbBOOoB/8Bpy:vHQ8MD25ar8cFPMB90bSBI
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1524 explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 336 csrss.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe -
Modifies registry class 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9d188ed4-7f0f-50e8-d51f-37567dd51fd0}\u = "860049491" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9d188ed4-7f0f-50e8-d51f-37567dd51fd0}\cid = "3288693430873097271" explorer.exe Key created \registry\machine\Software\Classes\Interface\{9d188ed4-7f0f-50e8-d51f-37567dd51fd0} explorer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1524 explorer.exe 1524 explorer.exe 1524 explorer.exe 336 csrss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1524 explorer.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 336 csrss.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1748 wrote to memory of 1524 1748 8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe 30 PID 1748 wrote to memory of 1524 1748 8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe 30 PID 1748 wrote to memory of 1524 1748 8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe 30 PID 1748 wrote to memory of 1524 1748 8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe 30 PID 1748 wrote to memory of 1524 1748 8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe 30 PID 1748 wrote to memory of 1524 1748 8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe 30 PID 1524 wrote to memory of 336 1524 explorer.exe 2 PID 336 wrote to memory of 2836 336 csrss.exe 31 PID 336 wrote to memory of 2836 336 csrss.exe 31 PID 336 wrote to memory of 860 336 csrss.exe 13
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:860
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵PID:2836
-
-
C:\Users\Admin\AppData\Local\Temp\8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\explorer.exe00000084*2⤵
- Deletes itself
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5c7570a7e24b29ee04a48c2c99da2587b
SHA1b6e3635a8de44b1635e8d362ac131e14281feb24
SHA256717cd7661c09701ee39c505d8b604ea3dd6c1151ef18e7ed1cab3832552ac34b
SHA51257479d2f5386ace8cc5e5ed543e6ad2c2b7b58accc849807d804a8cf0d03080f328f7b42442422fa1483a01ad473ca302f9eca97b9eb24e699e22db56641c572
-
Filesize
2KB
MD5f54d422e17ad02743de0acacd9edec4e
SHA129e48061201bf29fda501ed36c593d14b643b5c2
SHA2568c14ca7d590482c201f5d3ca44cd5c63fd0749b548ade9bd59ff43c157c151b6
SHA5128a48774094ddedb3b1882f3aaa92499a0dc92feb6c5ca46caf8dc2c12a2b0ef20d55c3fd2d8b85f9fd38fc1a477c5b032d5046f0db2e83c13d54e1df6a4e48df