Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
17s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 20:15
Behavioral task
behavioral1
Sample
a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe
-
Size
94KB
-
MD5
a80fefe0a026b09968d22ad3e02ca53b
-
SHA1
17ff5d229c3dbbddd3147d88fe04910c60639c0f
-
SHA256
addca3a852924a6d2cfeb14f042faf5d1bc7aeba5375a4b0340374f9dcbda091
-
SHA512
2ead8cb15b21b6cabd0f1e4ec6f84d77c0e1105ef380ae07167c294c27b9f93eaab5ca47870a395107bed345dfab9ec0df08779c441ef05a015bcb989d3ccf86
-
SSDEEP
1536:dRpRD012UzhSqfioFDOkQJWX1wimsRcuVy4m+zLP11y0JRxybzYVX:dPRD015h1ao1OkFFRqozLP1xRxy3Y9
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
description ioc Process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SwUpdate = "{003541A1-3BC0-1B1C-AAF3-040114001C01}" a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2820 netsh.exe -
Loads dropped DLL 1 IoCs
pid Process 2820 netsh.exe -
resource yara_rule behavioral1/memory/2968-0-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral1/memory/2196-7-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2968-10-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral1/memory/2196-8-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-6-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-5-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-3-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-11-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-12-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-13-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-15-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-28-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-50-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-48-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-46-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-44-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-42-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-40-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-38-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-36-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-34-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-32-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-31-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-30-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-26-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-24-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-53-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-22-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-20-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-18-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-16-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2196-60-0x0000000000400000-0x0000000000433000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2968 set thread context of 2196 2968 a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe 29 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\PROGRA~3\AppData\Local\Temp\MACROM~1\SWFUPD~1\LocalsSettings.dtd netsh.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{003541A1-3BC0-1B1C-AAF3-040114001C01}\ = "SwUpdate" a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe Key created \Registry\Machine\SOFTWARE\Classes\Wow6432Node\CLSID\{003541A1-3BC0-1B1C-AAF3-040114001C01}\InProcServer32 a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{003541A1-3BC0-1B1C-AAF3-040114001C01}\InProcServer32\ = "C:\\ProgramData\\AppData\\Local\\Temp\\Macromedia\\swfupdate\\swfupdate.dll" a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{003541A1-3BC0-1B1C-AAF3-040114001C01}\InProcServer32\ThreadingModel = "Apartment" a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe Key created \Registry\Machine\SOFTWARE\Classes\Wow6432Node\CLSID\{003541A1-3BC0-1B1C-AAF3-040114001C01} a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2196 a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe 2196 a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2196 a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2968 a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2968 wrote to memory of 2196 2968 a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe 29 PID 2968 wrote to memory of 2196 2968 a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe 29 PID 2968 wrote to memory of 2196 2968 a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe 29 PID 2968 wrote to memory of 2196 2968 a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe 29 PID 2968 wrote to memory of 2196 2968 a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe 29 PID 2968 wrote to memory of 2196 2968 a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe 29 PID 2968 wrote to memory of 2196 2968 a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe 29 PID 2968 wrote to memory of 2196 2968 a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe 29 PID 2968 wrote to memory of 2196 2968 a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe 29 PID 2196 wrote to memory of 2820 2196 a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe 30 PID 2196 wrote to memory of 2820 2196 a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe 30 PID 2196 wrote to memory of 2820 2196 a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe 30 PID 2196 wrote to memory of 2820 2196 a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe"2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\netsh.exenetsh.exe firewall add allowedprogram program = "C:\Users\Admin\AppData\Local\Temp\a80fefe0a026b09968d22ad3e02ca53b_JaffaCakes118.exe" name = "Application Layer Gateway Service" mode = ENABLE scope = ALL profile = ALL3⤵
- Modifies Windows Firewall
- Loads dropped DLL
- Drops file in Program Files directory
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2820
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2AppInit DLLs
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2AppInit DLLs
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD559546ca0bc6cf1cad3417c2d2da6c48e
SHA1bfa26c819d0929ff37c02043439de773f728f68b
SHA2569c7b297935f57060e8aeae53867108441a9c032152117cdc07fcda48a720ef42
SHA5125dfee63be2c639c389f0e1462f445c161d12f27a1bc32e108d0bf231a315c104fb9d8f122a83a962fd6904c5e12bd6d334608252512c7ec4eac64ada21a97970
-
Filesize
20B
MD5a089de022fc98ce246d66d76fdc567f7
SHA19210ec267822a434592564b0b9a0ea1b9e3a74f4
SHA256d76f371bb66d5caca6841573c211a35e2d7aaab4964245586893f1ad19308e25
SHA5128a78c54e2163992c4de05e1c1b05caf92cb4f68c23a59900b80cc824e25976f06881990cd8c49618a0bca7f0f41d902ab30bf14a79b298d6b93f7569d9638e2a