Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
102s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 07:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe
-
Size
730KB
-
MD5
953d3e61466aaef1feb0f1218991b834
-
SHA1
a7ed9c02bd324c74e968132a52793b042b67f4f0
-
SHA256
1c9b517de19ea906b642624ab9a8f20b8b4cd91881cb6e6a031d87dfcad5ed3c
-
SHA512
cc9c652b6a1641bef3e6c66a5039b1719b48f633cafd38dcd0b588c70596ebf4e729d8377e93a44f7f8f2b8866aaf412923b7603abca8b2df6d48d9695ed7dcf
-
SSDEEP
12288:2zxveAzCY64Ly3AuYW/g8eyi49Wr3xvPTY38czsg84On0kBOvW1LcqOwi:SmeCY64LWAuYZyipk8GnwnOwi
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2724 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1668 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1668 msiexec.exe Token: SeIncreaseQuotaPrivilege 1668 msiexec.exe Token: SeRestorePrivilege 2380 msiexec.exe Token: SeTakeOwnershipPrivilege 2380 msiexec.exe Token: SeSecurityPrivilege 2380 msiexec.exe Token: SeCreateTokenPrivilege 1668 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1668 msiexec.exe Token: SeLockMemoryPrivilege 1668 msiexec.exe Token: SeIncreaseQuotaPrivilege 1668 msiexec.exe Token: SeMachineAccountPrivilege 1668 msiexec.exe Token: SeTcbPrivilege 1668 msiexec.exe Token: SeSecurityPrivilege 1668 msiexec.exe Token: SeTakeOwnershipPrivilege 1668 msiexec.exe Token: SeLoadDriverPrivilege 1668 msiexec.exe Token: SeSystemProfilePrivilege 1668 msiexec.exe Token: SeSystemtimePrivilege 1668 msiexec.exe Token: SeProfSingleProcessPrivilege 1668 msiexec.exe Token: SeIncBasePriorityPrivilege 1668 msiexec.exe Token: SeCreatePagefilePrivilege 1668 msiexec.exe Token: SeCreatePermanentPrivilege 1668 msiexec.exe Token: SeBackupPrivilege 1668 msiexec.exe Token: SeRestorePrivilege 1668 msiexec.exe Token: SeShutdownPrivilege 1668 msiexec.exe Token: SeDebugPrivilege 1668 msiexec.exe Token: SeAuditPrivilege 1668 msiexec.exe Token: SeSystemEnvironmentPrivilege 1668 msiexec.exe Token: SeChangeNotifyPrivilege 1668 msiexec.exe Token: SeRemoteShutdownPrivilege 1668 msiexec.exe Token: SeUndockPrivilege 1668 msiexec.exe Token: SeSyncAgentPrivilege 1668 msiexec.exe Token: SeEnableDelegationPrivilege 1668 msiexec.exe Token: SeManageVolumePrivilege 1668 msiexec.exe Token: SeImpersonatePrivilege 1668 msiexec.exe Token: SeCreateGlobalPrivilege 1668 msiexec.exe Token: SeCreateTokenPrivilege 1668 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1668 msiexec.exe Token: SeLockMemoryPrivilege 1668 msiexec.exe Token: SeIncreaseQuotaPrivilege 1668 msiexec.exe Token: SeMachineAccountPrivilege 1668 msiexec.exe Token: SeTcbPrivilege 1668 msiexec.exe Token: SeSecurityPrivilege 1668 msiexec.exe Token: SeTakeOwnershipPrivilege 1668 msiexec.exe Token: SeLoadDriverPrivilege 1668 msiexec.exe Token: SeSystemProfilePrivilege 1668 msiexec.exe Token: SeSystemtimePrivilege 1668 msiexec.exe Token: SeProfSingleProcessPrivilege 1668 msiexec.exe Token: SeIncBasePriorityPrivilege 1668 msiexec.exe Token: SeCreatePagefilePrivilege 1668 msiexec.exe Token: SeCreatePermanentPrivilege 1668 msiexec.exe Token: SeBackupPrivilege 1668 msiexec.exe Token: SeRestorePrivilege 1668 msiexec.exe Token: SeShutdownPrivilege 1668 msiexec.exe Token: SeDebugPrivilege 1668 msiexec.exe Token: SeAuditPrivilege 1668 msiexec.exe Token: SeSystemEnvironmentPrivilege 1668 msiexec.exe Token: SeChangeNotifyPrivilege 1668 msiexec.exe Token: SeRemoteShutdownPrivilege 1668 msiexec.exe Token: SeUndockPrivilege 1668 msiexec.exe Token: SeSyncAgentPrivilege 1668 msiexec.exe Token: SeEnableDelegationPrivilege 1668 msiexec.exe Token: SeManageVolumePrivilege 1668 msiexec.exe Token: SeImpersonatePrivilege 1668 msiexec.exe Token: SeCreateGlobalPrivilege 1668 msiexec.exe Token: SeCreateTokenPrivilege 1668 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1668 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2388 wrote to memory of 1668 2388 953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe 29 PID 2388 wrote to memory of 1668 2388 953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe 29 PID 2388 wrote to memory of 1668 2388 953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe 29 PID 2388 wrote to memory of 1668 2388 953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe 29 PID 2388 wrote to memory of 1668 2388 953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe 29 PID 2388 wrote to memory of 1668 2388 953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe 29 PID 2388 wrote to memory of 1668 2388 953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe 29 PID 2380 wrote to memory of 2724 2380 msiexec.exe 31 PID 2380 wrote to memory of 2724 2380 msiexec.exe 31 PID 2380 wrote to memory of 2724 2380 msiexec.exe 31 PID 2380 wrote to memory of 2724 2380 msiexec.exe 31 PID 2380 wrote to memory of 2724 2380 msiexec.exe 31 PID 2380 wrote to memory of 2724 2380 msiexec.exe 31 PID 2380 wrote to memory of 2724 2380 msiexec.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\system32\msiexec.exe/i "C:\Users\Admin\AppData\Roaming\RM Royal Media Ltd.\Romi Royal Install\install\RummyRoyal_Live_hu.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"2⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1668
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 57C4B63FA5181BDC249643DFFC51B215 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD51afa5d8db46927c210ca89b7ec81e1c7
SHA1e5cd5b8f8afe4faf43a64d4c16d048228b9ee2fd
SHA256e55a022de86edfd958583023e9989b94751ea36322587e047c9af642d3fb82dc
SHA5126e860e077149e0466b267f2300ca1eba67eaee419f1bf8cc8e7ad0542472f197407b4ca6dd60632cd731ef4780a7c389bd8dedafa7e330113ef0062f188e4b24
-
Filesize
309KB
MD5c274fc0ff2473e1d75051dd7e2705cad
SHA197ed0425861e1858778ad179c392eeddb9a4db61
SHA256cadb0be309bbe5c11b560fc2ab724808d47f5c7091a00f03068f66679ef3444b
SHA5122e80b0f75d3a067f62c4b37f9bfa6eae8bf27221baccf6debefd837fc70421ab0cbaadb1ce5c0736c8a2b6f64894791a54f89abfd2b80dd8c0e5f0756c5cbd54