Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 17:00
Static task
static1
Behavioral task
behavioral1
Sample
a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe
-
Size
89KB
-
MD5
a77ca5793b0e5f4a28ea576cf988b5c8
-
SHA1
81f7599be4e590386de12b4366716433bf10a017
-
SHA256
5c302e8ae763e0d918978dacc3031dc4c4425757dd1bfed53f6b776e9b9003ee
-
SHA512
d5bad9f53fd913afb44d4cad0888b4a71417f81924b8694eb6be7e2394889858e583ee2c193c7d2e1c3d94370c08cb4f6781569c9a1e9d8d3577f4d100e23e8f
-
SSDEEP
1536:L8dOoemFFLr/5P8MdiEWzHc/toONCoCinYQ13gLspuIJK/k1lJSU5xfO3:6PemFN5GEeH2qAcinYQJgLAK/2F5xW3
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2372 a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winjrj32.rom,VLfhEzq" a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\winjrj32.rom a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\winjrj32.rom a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1100 2372 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{66844C61-5D83-11EF-BCF9-7EBFE1D0DDB4} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430162309" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2732 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2732 iexplore.exe 2732 iexplore.exe 3024 IEXPLORE.EXE 3024 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2772 2372 a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe 31 PID 2372 wrote to memory of 2772 2372 a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe 31 PID 2372 wrote to memory of 2772 2372 a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe 31 PID 2372 wrote to memory of 2772 2372 a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe 31 PID 2772 wrote to memory of 2732 2772 cmd.exe 33 PID 2772 wrote to memory of 2732 2772 cmd.exe 33 PID 2772 wrote to memory of 2732 2772 cmd.exe 33 PID 2772 wrote to memory of 2732 2772 cmd.exe 33 PID 2732 wrote to memory of 3024 2732 iexplore.exe 34 PID 2732 wrote to memory of 3024 2732 iexplore.exe 34 PID 2732 wrote to memory of 3024 2732 iexplore.exe 34 PID 2732 wrote to memory of 3024 2732 iexplore.exe 34 PID 2372 wrote to memory of 2732 2372 a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe 33 PID 2372 wrote to memory of 2732 2372 a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe 33 PID 2372 wrote to memory of 1232 2372 a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe 21 PID 2372 wrote to memory of 1232 2372 a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe 21 PID 2372 wrote to memory of 1636 2372 a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe 35 PID 2372 wrote to memory of 1636 2372 a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe 35 PID 2372 wrote to memory of 1636 2372 a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe 35 PID 2372 wrote to memory of 1636 2372 a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe 35 PID 2372 wrote to memory of 1100 2372 a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe 37 PID 2372 wrote to memory of 1100 2372 a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe 37 PID 2372 wrote to memory of 1100 2372 a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe 37 PID 2372 wrote to memory of 1100 2372 a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe 37
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a77ca5793b0e5f4a28ea576cf988b5c8_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\cmd.execmd /c start iexplore -embedding3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -embedding4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3024
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\samEDB9.bat"3⤵
- System Location Discovery: System Language Discovery
PID:1636
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1243⤵
- Program crash
PID:1100
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f18261fbdf81db08239c51ac970de777
SHA15cb939d01bed3672c412bd6f2802921d485bbcb0
SHA256ed3b67f5c0a80d61928969e7fcbecae95c3ede1b36721df37cf8d17889a2a3ea
SHA512160e6f18f1b4e34e992148ae64a71b40d948b1566bc4a98daafb9e31914ec6a0eceb3427b61dba8046cc220a03b6644ee7e54117a706215032a3198f9b5bff6f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dbd7b56f31c2d1f0fe9fad7cc8b40da3
SHA14cb2409d0524513f0ef21c79dbd468ac0dbbec8f
SHA2563b84091d2286b8cdf32f30a6ab0b634347b4964b46cf59d4d8a381eb3385efa7
SHA512007d09ddfa1ec4b92deeaeff69d624db006f667b936fdd976da0d289d4617e51f3f089c70722ca74567f66a628c9ca5495991f3bd9e094e37313f23e25074a90
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56bf4e62db9fec1cbfd7eeed27f642fda
SHA18005e059aea04e51f987df327ee1c4e6e5fa5f20
SHA256d520562158d91e3de3d4b0fdddbfbaacc6b32dfdaf16765f3614ccd14ae97af3
SHA512f928489ec40c71812de8f9a1809643fdb0f3588c6f2b96ec6b583fc258d99d2238c9e62d07ca1fe805b47032966d53a859844d95d359c8c3647d92d0f8d3ab62
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ea54c7f53f0baf8ea1c2bc207901e0f6
SHA131fc7f1a4e16da2f73ea9378a49eb3dcc285bff3
SHA2565a6ec8026422f1b5a94d3dd58b435dbd1d575cc5647869d2d4e00e0ead82c456
SHA5120b83bbaf72ed4fcb3140550e48c354a556acff88137f86396d23eddc2ec848ecfeb36c7d25c03b785962ccb2fbf9b9cb3f845d8fedfe82b6fc4ca84468692319
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5470224f0e5ec7a6db1f8b84c53893059
SHA18ee0b84dad8845ba200808bcf2b7ea71f9c18414
SHA256de574857c664c8849b99501c780974f78ea24aee491520aeb6b0f9f563b78684
SHA512dd5c364baf92368a62ff40069294a8a0b5c34c0ee1a58229a832c951ab3f5400689a0146e4edee212f3709c3c4969e20ad718a8ff21554c94968a5f23be64489
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5884c293ae3df69eeff68342210ffbd36
SHA15f4b5eba31633b7dd0c1566d8f6189d72ea65ec8
SHA256a85ba3e0004a4ac480f96e0340b7201b2bc3a5b7875173df88ca4a6366cc49cd
SHA512f6c3c571e46a8d2a6dd8ae33aa7377760bcfa00bfca424106535350799c69b5a44050e33898d0ddf21e4a1ce12231e0eee36f1b9c5f059b559398ab87b187174
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a654cb48e048a3b007376121a336ad92
SHA11b14142069dd4afa48a04d4676a1b7354b9ba681
SHA2563db2e2ab45f15a97fda01c36994f59627715a66975101ce38d57c266411ea99a
SHA51240ee416d7e9f28db3eeb9f7c8aeb02111613d8dd9cbca236d87019d8ebb54c66ed9e94123a3285a76cda1cc9a234fcfeca2987793eb6b7137f72ebb5806f32f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56250461c7427ee33e82920959666908a
SHA193dc6fd17c7e1596a0186f634e6bdf54d5c29da6
SHA25664e5adcc86e8ef7a0065c34e6528d58abaf60a885d551e3deabaa44021dd9020
SHA5124e94d12dae6d7f15c5d6a2ce67eb7fb0fb0d50b927f96ee18d455e01d178a0acaf5770ec5cd1040fd4568c7e3a10dbf532e0588fd018e72a4479e84b746a049d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fbbcafa326850d3e5146fc621f52f14f
SHA16eb2e6e38e772504666ee6c9d0112f5275aa95b3
SHA256e4264f6a256c0be800d93af40793e1846ddef2d62b8bd8288197b2ace64895db
SHA5126d700643898c8c8b836af0a970925493d2a2a78a571531b895deace60a7be7fbcef9625400fdcfb988523391d4cc9ac0c5b74f0e355531e3288d5eddbf5b3f42
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
188B
MD59ea94f51296269514773ae716967faa0
SHA1d09a0d734089994f86b18c4936044c79b7e54801
SHA256831c6c96f14e2c193f76d21d6486e7dc7af6c4a1a871823b6083b7cf04eaebcb
SHA5129c9f6259a69090b97eadcfab41fc474e972b4511050cc12266942da4fb3be1b2de22c486c5c0807b51260c05b916b7a09056d24118c9f0525253959ee378d570
-
Filesize
62KB
MD5879f3a89a30ec3b2eb0844fb4d9f3611
SHA190c9f4da9bfd40d6556d32791692f5d45f193af6
SHA256f002661e6690ee0d51d43e397d42a60b3259e4a5ca44c5d78db548c48d42b149
SHA51241f64b84f71cd1a024d69f21e5c28b305c3a76e30eb8897bd51f5c6cc0dd4d1768edfda754b84cecb1b6493ebbe5d7374362e915f77560fdc215257df0ef3001