Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 00:43
Static task
static1
Behavioral task
behavioral1
Sample
a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe
-
Size
436KB
-
MD5
a4bdcefd97821332f39852f00b54a742
-
SHA1
81018ef6ef0a11412b029524d865ae36ab6d3b91
-
SHA256
d81b77c97e07449962abea2cf2b939fd58baf0428310be72d8e7654722b4dcc2
-
SHA512
243e49ce01c56ee1a9eeb6824712044eb81f88a3dc199b408edb32b99534d5b45f29687586ac0ae2bec1acea9d0ac1fe2188d29227638f386e527cf49456fe73
-
SSDEEP
6144:BpPDCOkXvBftF2WKcxQIop4T6jjtmUIM9n8xrF50uZPpvEoFuK/w:fCVZftAZcxtT62bbDvEU
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\taskmngr.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\taskmngr.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Task Manager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\taskmngr.exe" a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA79CFA9-CBDF-42EF-F2F1-E0E3EF3D9BD5} a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA79CFA9-CBDF-42EF-F2F1-E0E3EF3D9BD5}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\taskmngr.exe" a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{DA79CFA9-CBDF-42EF-F2F1-E0E3EF3D9BD5} a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Active Setup\Installed Components\{DA79CFA9-CBDF-42EF-F2F1-E0E3EF3D9BD5}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\taskmngr.exe" a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Task Manager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\taskmngr.exe" a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Task Manager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\taskmngr.exe" a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 280 set thread context of 2756 280 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1348 reg.exe 2620 reg.exe 1196 reg.exe 2712 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeCreateTokenPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeLockMemoryPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeMachineAccountPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeTcbPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeSecurityPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeSystemtimePrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeCreatePermanentPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeBackupPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeRestorePrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeShutdownPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeDebugPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeAuditPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeUndockPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeSyncAgentPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeEnableDelegationPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeManageVolumePrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeImpersonatePrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: 31 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: 32 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: 33 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: 34 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe Token: 35 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 280 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 280 wrote to memory of 2756 280 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 30 PID 280 wrote to memory of 2756 280 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 30 PID 280 wrote to memory of 2756 280 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 30 PID 280 wrote to memory of 2756 280 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 30 PID 280 wrote to memory of 2756 280 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 30 PID 280 wrote to memory of 2756 280 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 30 PID 280 wrote to memory of 2756 280 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 30 PID 280 wrote to memory of 2756 280 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 30 PID 280 wrote to memory of 2756 280 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 30 PID 2756 wrote to memory of 2720 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 31 PID 2756 wrote to memory of 2720 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 31 PID 2756 wrote to memory of 2720 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 31 PID 2756 wrote to memory of 2720 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 31 PID 2756 wrote to memory of 2704 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 32 PID 2756 wrote to memory of 2704 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 32 PID 2756 wrote to memory of 2704 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 32 PID 2756 wrote to memory of 2704 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 32 PID 2756 wrote to memory of 2700 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 34 PID 2756 wrote to memory of 2700 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 34 PID 2756 wrote to memory of 2700 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 34 PID 2756 wrote to memory of 2700 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 34 PID 2756 wrote to memory of 2356 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 35 PID 2756 wrote to memory of 2356 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 35 PID 2756 wrote to memory of 2356 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 35 PID 2756 wrote to memory of 2356 2756 a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe 35 PID 2720 wrote to memory of 1348 2720 cmd.exe 39 PID 2720 wrote to memory of 1348 2720 cmd.exe 39 PID 2720 wrote to memory of 1348 2720 cmd.exe 39 PID 2720 wrote to memory of 1348 2720 cmd.exe 39 PID 2356 wrote to memory of 2712 2356 cmd.exe 40 PID 2356 wrote to memory of 2712 2356 cmd.exe 40 PID 2356 wrote to memory of 2712 2356 cmd.exe 40 PID 2356 wrote to memory of 2712 2356 cmd.exe 40 PID 2704 wrote to memory of 1196 2704 cmd.exe 41 PID 2704 wrote to memory of 1196 2704 cmd.exe 41 PID 2704 wrote to memory of 1196 2704 cmd.exe 41 PID 2704 wrote to memory of 1196 2704 cmd.exe 41 PID 2700 wrote to memory of 2620 2700 cmd.exe 42 PID 2700 wrote to memory of 2620 2700 cmd.exe 42 PID 2700 wrote to memory of 2620 2700 cmd.exe 42 PID 2700 wrote to memory of 2620 2700 cmd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Users\Admin\AppData\Local\Temp\a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1348
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a4bdcefd97821332f39852f00b54a742_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1196
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2620
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\taskmngr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\taskmngr.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\taskmngr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\taskmngr.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2712
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD538c8ea22acd25e9b39e907df0d8de5ce
SHA104e47592bb949245e3490ecd8179fd76a26e10a8
SHA2565d9f74d57e494097be9fbeb57958ce76987359d5f8c9dc65fac10c34fa38fdc9
SHA5121c84ff0fc45734dc370d39af6b4aa83b42ed05ee3e91fe515d6543e7f1be546ebd1c4af85e7de398fa6f8a0cb0f94a27b9d120d407ad7213360e524810eda0d9