Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 09:09
Static task
static1
Behavioral task
behavioral1
Sample
aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe
-
Size
290KB
-
MD5
aa68952b72f66fef836f5286488ec713
-
SHA1
390bc5736ba9672dba40cea2058fca2a5176ef4d
-
SHA256
a4c9dcf0f9c2e56477f23f1fe9737b21c65fa3058922babfe6a86f1aca65d92b
-
SHA512
4bdf26b31cde68a521f4a3e54724e6b9413bd08c3ee6deae10c50c67cab5488ae444c6cf1f4afe737f45fe49330932559f983e46ceb0569423825a2bc74ad606
-
SSDEEP
6144:6XvlvdqWLqOKD/B5RyaynzgvGq6JhW7zQgtm0DTlg1:6Xv/zLe/B5YzFHctmt
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2848 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2152 zydi.exe -
Loads dropped DLL 2 IoCs
pid Process 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\{1B0C4E28-6E66-AD4F-AB1D-A71BBF328406} = "C:\\Users\\Admin\\AppData\\Roaming\\Yhgozu\\zydi.exe" zydi.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2164 set thread context of 2848 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Privacy aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe 2152 zydi.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSecurityPrivilege 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe Token: SeSecurityPrivilege 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe Token: SeSecurityPrivilege 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe 2152 zydi.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2152 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe 31 PID 2164 wrote to memory of 2152 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe 31 PID 2164 wrote to memory of 2152 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe 31 PID 2164 wrote to memory of 2152 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe 31 PID 2152 wrote to memory of 1120 2152 zydi.exe 19 PID 2152 wrote to memory of 1120 2152 zydi.exe 19 PID 2152 wrote to memory of 1120 2152 zydi.exe 19 PID 2152 wrote to memory of 1120 2152 zydi.exe 19 PID 2152 wrote to memory of 1120 2152 zydi.exe 19 PID 2152 wrote to memory of 1204 2152 zydi.exe 20 PID 2152 wrote to memory of 1204 2152 zydi.exe 20 PID 2152 wrote to memory of 1204 2152 zydi.exe 20 PID 2152 wrote to memory of 1204 2152 zydi.exe 20 PID 2152 wrote to memory of 1204 2152 zydi.exe 20 PID 2152 wrote to memory of 1256 2152 zydi.exe 21 PID 2152 wrote to memory of 1256 2152 zydi.exe 21 PID 2152 wrote to memory of 1256 2152 zydi.exe 21 PID 2152 wrote to memory of 1256 2152 zydi.exe 21 PID 2152 wrote to memory of 1256 2152 zydi.exe 21 PID 2152 wrote to memory of 1372 2152 zydi.exe 23 PID 2152 wrote to memory of 1372 2152 zydi.exe 23 PID 2152 wrote to memory of 1372 2152 zydi.exe 23 PID 2152 wrote to memory of 1372 2152 zydi.exe 23 PID 2152 wrote to memory of 1372 2152 zydi.exe 23 PID 2152 wrote to memory of 2164 2152 zydi.exe 30 PID 2152 wrote to memory of 2164 2152 zydi.exe 30 PID 2152 wrote to memory of 2164 2152 zydi.exe 30 PID 2152 wrote to memory of 2164 2152 zydi.exe 30 PID 2152 wrote to memory of 2164 2152 zydi.exe 30 PID 2164 wrote to memory of 2848 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe 32 PID 2164 wrote to memory of 2848 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe 32 PID 2164 wrote to memory of 2848 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe 32 PID 2164 wrote to memory of 2848 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe 32 PID 2164 wrote to memory of 2848 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe 32 PID 2164 wrote to memory of 2848 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe 32 PID 2164 wrote to memory of 2848 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe 32 PID 2164 wrote to memory of 2848 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe 32 PID 2164 wrote to memory of 2848 2164 aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe 32
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1204
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\Roaming\Yhgozu\zydi.exe"C:\Users\Admin\AppData\Roaming\Yhgozu\zydi.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2152
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1a45140b.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2848
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD5ab4dca07cf20a73edff588e74596834c
SHA1c14cda3453e9c5b2ff908e0800bf1e4584379dde
SHA256ace16f34d911626145bc94df0099067d6b8d7d9f7583f3a3794ff9f7bc7801a1
SHA512eafa9836fad9514414e1b14f54e0c67051c14f8131d2908ad951a4de43155dcdea9f9d2b713e41abc400038888b4de5f6597195645ca6234fe551999c7055529
-
Filesize
380B
MD5d377358f476e2f2a78bf392cf46ee47f
SHA1942ed11a4850b511b6847a2b1a99ad0325e7e419
SHA2569b5f46a12d61b91c8c1c7b3a0ea912d0f2b77844bbb30edf00a9b62bca143557
SHA5121f18459546e036413de03914b2ab56087f836a4035674a4beb8d23b416bfba0aeb1da378d65f1b48d90801b99544073991c7cf530c465b943c55052a59428e37
-
Filesize
290KB
MD56232d4b0595fe2fb67309ca40ff36a65
SHA1632a8f7e055bb37a78f5404abd7b8920b466bfce
SHA256acf531789fb46de0b5164834ae4dd49060ad412846876a20791f18e099cffed5
SHA51246ea3dc2bcc40c8069f5c11b057a3e94d2637a7f115c4b321b4929a2a5704d984dd9a8f2b0a65acbd5e0bd40d864c528f17ab064430ac74517aa6f593f7613c8