Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 00:05
Static task
static1
Behavioral task
behavioral1
Sample
a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe
-
Size
172KB
-
MD5
a8c6704ffbbbfc86a82657eabb2657f1
-
SHA1
89386e079f867db9bd97861ac0f2bba04af8af44
-
SHA256
535a08dcf78edf126c37f585741ba8d5e1badcd64c97632a2ac81f21390657b0
-
SHA512
9da593c746f0cb7513d721595009eab2b3e7ba515f723052680ae2caea1a9c0f3ffa8f027a8989bc693bd080d6880be3f84242d5cf55db3312b3dd2d965ba9ab
-
SSDEEP
3072:UtiKCNwoWu8e3n/rAR+30+xlhQnnEcDLGZ+ePIKeCF0dci0uK4d+F8+uwgim:IiKIwoW2s+hl6nnEcDpJe0d3OpF8+uq
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2772 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 332 csrss.exe -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 94.242.250.64 Destination IP 94.242.250.64 Destination IP 94.242.250.64 Destination IP 94.242.250.64 -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2076 set thread context of 2772 2076 a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2076 a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe 2076 a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe 2076 a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe 2076 a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe 332 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2076 a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe Token: SeDebugPrivilege 2076 a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1188 Explorer.EXE 1188 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1188 Explorer.EXE 1188 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 332 csrss.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2076 wrote to memory of 1188 2076 a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe 21 PID 2076 wrote to memory of 332 2076 a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe 2 PID 332 wrote to memory of 2508 332 csrss.exe 30 PID 332 wrote to memory of 2508 332 csrss.exe 30 PID 2076 wrote to memory of 2772 2076 a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe 31 PID 2076 wrote to memory of 2772 2076 a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe 31 PID 2076 wrote to memory of 2772 2076 a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe 31 PID 2076 wrote to memory of 2772 2076 a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe 31 PID 2076 wrote to memory of 2772 2076 a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe 31 PID 332 wrote to memory of 836 332 csrss.exe 13
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:836
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵PID:2508
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2772
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5e60558bda4e220f494f7ef757f0bd725
SHA19e1215bdad1a51123a4eb012f1f4e3103ac436ed
SHA25686a744302786cb7afb20ccf54f8e157fc149906fca8af1bcc62bc56f8d807a98
SHA512e13e010a99d501a4c462377f144614945346e00b28e1a39936c329f6cdb8ddf24a9188bdb7bd5723925c77b940d6559fd876ad574a8dccac07cd1b1ea13e7576
-
Filesize
2KB
MD5306a9f1281975a63bc29a9ff651f3106
SHA102aba93588f82fc44a6199c52928ced2b636279f
SHA2566f69df0640304d8930a13b9007e67e261be0ae285dfea24e1dc269388bd1cee6
SHA512104b076f219bbce64cc397a11d9eeccdb5e8a928fa897b00e10603bfeff5fff41f2337d8fb5cbe7c459407b4bbba19e03b3b0ac3b32c4909ff3e27cf56abd5b1