Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
25s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 17:57
Static task
static1
Behavioral task
behavioral1
Sample
a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe
-
Size
160KB
-
MD5
a7a4c1133f7187188998358c0605b6e9
-
SHA1
05ff07e6c973d9ec58878f75214ee8524a368536
-
SHA256
5cf52b1715e4dcaa4c318b81782c4aecea23194bef94ffd52fa5b2cfc3856de2
-
SHA512
b15fc5a21f1aaff689369d1f596136531badb38561e11da35dbaf96dabd07a64eabd40aa49388df52b430782a777d4d0127ac45d80cd53a987a05d627b605066
-
SSDEEP
3072:WGCdrsmpcReL9T7b4w152d2kylpqw5K6I79kjt:WblsmxLuw1Ad2pgw5Kf9kp
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" tiofii.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" tiofii.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" tiofii.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tiofii.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tiofii.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" tiofii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tiofii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tiofii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tiofii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tiofii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" tiofii.exe -
Deletes itself 1 IoCs
pid Process 2772 tiofii.exe -
Executes dropped EXE 1 IoCs
pid Process 2772 tiofii.exe -
Loads dropped DLL 2 IoCs
pid Process 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2448-23-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral1/memory/2448-8-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral1/memory/2448-6-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral1/memory/2448-4-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral1/memory/2448-3-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral1/memory/2448-10-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral1/memory/2448-25-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral1/memory/2448-24-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral1/memory/2448-9-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral1/memory/2448-43-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral1/memory/2448-44-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral1/memory/2448-45-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral1/memory/2772-66-0x0000000003A90000-0x0000000004B1E000-memory.dmp upx behavioral1/memory/2772-69-0x0000000003A90000-0x0000000004B1E000-memory.dmp upx behavioral1/memory/2772-64-0x0000000003A90000-0x0000000004B1E000-memory.dmp upx behavioral1/memory/2772-70-0x0000000003A90000-0x0000000004B1E000-memory.dmp upx behavioral1/memory/2772-67-0x0000000003A90000-0x0000000004B1E000-memory.dmp upx behavioral1/memory/2772-71-0x0000000003A90000-0x0000000004B1E000-memory.dmp upx behavioral1/memory/2772-65-0x0000000003A90000-0x0000000004B1E000-memory.dmp upx behavioral1/memory/2772-72-0x0000000003A90000-0x0000000004B1E000-memory.dmp upx behavioral1/memory/2772-68-0x0000000003A90000-0x0000000004B1E000-memory.dmp upx behavioral1/memory/2772-88-0x0000000003A90000-0x0000000004B1E000-memory.dmp upx behavioral1/memory/2772-89-0x0000000003A90000-0x0000000004B1E000-memory.dmp upx behavioral1/memory/2772-90-0x0000000003A90000-0x0000000004B1E000-memory.dmp upx behavioral1/memory/2772-107-0x0000000003A90000-0x0000000004B1E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tiofii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tiofii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tiofii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc tiofii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tiofii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" tiofii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" tiofii.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiofii = "C:\\Users\\Admin\\tiofii.exe" tiofii.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tiofii.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: tiofii.exe File opened (read-only) \??\H: tiofii.exe File opened (read-only) \??\I: tiofii.exe File opened (read-only) \??\E: tiofii.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tiofii.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 2772 tiofii.exe 2772 tiofii.exe 2772 tiofii.exe 2772 tiofii.exe 2772 tiofii.exe 2772 tiofii.exe 2772 tiofii.exe 2772 tiofii.exe 2772 tiofii.exe 2772 tiofii.exe 2772 tiofii.exe 2772 tiofii.exe 2772 tiofii.exe 2772 tiofii.exe 2772 tiofii.exe 2772 tiofii.exe 2772 tiofii.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe Token: SeDebugPrivilege 2772 tiofii.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 2772 tiofii.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2448 wrote to memory of 1104 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 19 PID 2448 wrote to memory of 1156 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 20 PID 2448 wrote to memory of 1192 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 21 PID 2448 wrote to memory of 1288 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 23 PID 2448 wrote to memory of 2772 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 30 PID 2448 wrote to memory of 2772 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 30 PID 2448 wrote to memory of 2772 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 30 PID 2448 wrote to memory of 2772 2448 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 30 PID 2772 wrote to memory of 1104 2772 tiofii.exe 19 PID 2772 wrote to memory of 1156 2772 tiofii.exe 20 PID 2772 wrote to memory of 1192 2772 tiofii.exe 21 PID 2772 wrote to memory of 1288 2772 tiofii.exe 23 PID 2772 wrote to memory of 1104 2772 tiofii.exe 19 PID 2772 wrote to memory of 1156 2772 tiofii.exe 20 PID 2772 wrote to memory of 1192 2772 tiofii.exe 21 PID 2772 wrote to memory of 1288 2772 tiofii.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tiofii.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1104
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1156
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2448 -
C:\Users\Admin\tiofii.exe"C:\Users\Admin\tiofii.exe"3⤵
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2772
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1288
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5698988e198c8491e705892a1679b063a
SHA18942b0b79e4ab4996dcf52eb1a56cbeb2968491c
SHA256026fcf4bc9b8368029a7367bacbb9874153fbec56b96881d3f3a74821bb88270
SHA512c1b079340b019eb5634d80b988c7f407976f8da1229af8bd63da06b1201e7924de2c70b7adc00f6b7bd6441f60bb71e60ab705e27c94b94a89b3b1e6081f639e
-
Filesize
100KB
MD5455d963402fad0d69217f80796042e8d
SHA16550a661e3b75e7609499ba7d9b4798e33548ee8
SHA256e3abb9645409c763cc5c59a812cbcee5b854e7abd388c7f8bbc09ca37b97eb38
SHA5124fbfe70f782fc6208db37251aeb13fb80282b09a0e67dbb3d2dde950b78816065e0068523b18db9a3eeeee13458b13db62f8e616477d16b89fd1d5f8b00ebd93
-
Filesize
160KB
MD57d9c414a32f6ee3f565951e2bf53ee6c
SHA1145f315dde20d67cf17d6eb0767dd0ad0afbf1bf
SHA2563b2a336f7deffc4be5fe47cf5bd3e5bdc697d7ee342a5654e6b63c21418ce3f0
SHA51287a60bbf6a1f8e4bce2e405d98f1a4b691aba988dcc4c91a030871facdd344a3db772d56c94265cf32165e8d344d7e00f044bf166878c9729c8e422807f1a3fa